On Wed, Jul 4, 2018 at 4:53 PM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > ... Client negotiates non-PFS pure-RSA and ignores PFS DHE ...
How is the client doing any of this? The server picks the cipher suite. > Least broken browser: Firefox (at least for the last proper version they > released) Newer versions might not have DHE, which I hope is consistent with your expectations. But we haven't started on those plans. As of the latest version, things should be the same - extensions shouldn't affect whether connections work. The problem with DHE of course being that it uses the TLS 1.0 suites with the SHA1 MAC and with the MAC and encrypt in the wrong order. And that it is subject to small subgroup attacks from the server unless it negotiates the FFDHE extension. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
