On Wed, 2018-07-04 at 11:15 +0300, Ilari Liusvaara wrote: > On Wed, Jul 04, 2018 at 07:57:41AM +0000, Peter Gutmann wrote: > > Ilari Liusvaara <ilariliusva...@welho.com> writes: > > > > > More serious problem is servers returning too small modulus due > > > lack of > > > negotiation. Which was the reason why Chrome disabled DHE. > > > > Why not reject the handshake if the modulus is too small, rather > > than > > disabling all DHE suites on the off chance that the server returns > > a value you > > don't like? > > Chrome initially did that. It caused quite a lot of bad feedback from > owners of various bad embedded stuff. The thread on relevant forums > was > quite something. Hundreds of messages blaming Google for breaking > stuff.
We had similar experience when we required a minimum of 2048-bit modulus for all TLS connections in Fedora 28 beta irrespective of back- end lib. It broke connections to VPN servers and web internal web sites and we had to revert the change. The DHE ciphersuites under TLS1.2 seem doomed and rfc7919 couldn't save them. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
