On Wed, 4 Jul. 2018, 18:42 Nikos Mavrogiannopoulos, <n...@redhat.com> wrote:
> We had similar experience when we required a minimum of 2048-bit > modulus for all TLS connections in Fedora 28 beta irrespective of back- > end lib. It broke connections to VPN servers and web internal web sites > and we had to revert the change. The DHE ciphersuites under TLS1.2 seem > doomed and rfc7919 couldn't save them. > It has been suggested that 7919 makes things worse. We have minimum modulus size constraints and haven't had any reports of issues, but the limits are fairly low and we have a less diverse usage environment than Redhat. We're also unable to catch big values that aren't prime, or values with small subgroups. We end up trusting servers more than we might consider ok for a modern protocol. That isn't a massive problem in my view. Of course, our recommendations don't change. Right now, that is to use TLS 1.3, or at least the configuration of TLS 1.2 that most closely resembles 1.3. The rest is stuff we merely tolerate for the sake of interoperability. Soon, I hope, we might be able to get rid of TLS 1.0 and 1.1, and these questions will be somewhat less interesting. >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
