On Thursday, 22 December 2022 23:26:26 CET, Carrick Bartle wrote:
the latter is basically unexploitable with properly behaving
hosts in TLSv1.2
Well, right, that's the trick. The issue that people have
pointed out with FFDHE is that it's very easy to have a host
that is not properly behaving (see RFC 7919, which is referenced
in our draft).
It's also easy and quick to verify that the server *is* behaving correctly
and thus is not exploitable.
On Wed, Dec 21, 2022 at 5:14 AM Hubert Kario <hka...@redhat.com> wrote:
On Tuesday, 20 December 2022 19:37:14 CET, Rob Sayre wrote:
On Tue, Dec 20, 2022 at 4:53 AM Hubert Kario <hka...@redhat.com> wrote:
Thus the deprecation of it is a matter of taste, not
cryptographic
necessity.
I'm sorry if I'm being dense here, but isn't all of this a
SHOULD NOT in RFC 9325?
https://www.rfc-editor.org/rfc/rfc9325.html#name-recommendations-cipher-suit
Maybe I'm misreading that RFC, but given that it's a BCP, it
seems like deprecation is a natural step that reflects IETF
consensus.
that RFC marks both TLS_RSA_* and TLS_DHE_* as "SHOULD NOT".
Given that the former is still being exploited close to 25 years after the
Bleichenbacher attack was discovered, while the latter is basically
unexploitable with properly behaving hosts in TLSv1.2, I don't think it's
correct to consider them at the same level.
Yes, if you have ECDHE available, you SHOULD NOT use DHE in TLSv1.2. But if
everything you have is either TLS_RSA_* and TLS_DHE_*, then you're far
better
of with TLS_DHE_*.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
