On Fri, Jul 29, 2022 at 01:59:58PM +0000, Peter Gutmann wrote: > An additional comment on this, a pretty straightforward solution is > to use the TLS-LTS one: Unfortunately, that does not work because it would require protocol modifications requiring coordinated updates to both clients and servers. Renego fix was over 12 years ago, and I still sometimes hit servers that have not fixed that.
I think the best current practices are: Client side: - Do not implement DH and ECDH. - Disable DHE entierely. Server side: - Do not implement RSA kex. - Prefer ECDHE to DHE. No idea what is the best practice DHE size to use on server side if supported. Note that anything that does not support TLS 1.2 (since it can not connect) or supports ECDHE (since ECDHE is preferred) is irrelevant here. For 1024-bit, one wants custom group, for 2048-bit one wants ffdhe2048. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
