On 2/2/19 4:21 PM, Eric S. Raymond via devel wrote: > Gary E. Miller via devel <[email protected]>: >> I assumed to start it would be just config files. > > Every time you assume a config file something beautiful dies. > > The right question to ask is not "how must we configure this", it's > "how do we query our environment to find out the right thing to do". > You should only think in terms of configuration when you are *certain* > you can't do better. > >> Remember, the cipher sets are runtime dynamic. They can change under >> you in an instant. So replace startup time with runtime. > > Agreed. > >> To find the TLS 1.2 cipers: >> >> openssl ciphers -v | fgrep TLSv1.2 >> >> To find the TLS 1.3 cipers: >> >> openssl ciphers -v | fgrep TLSv1.3 >> >> I have no idea how to find possible AEAD algorithms. > > I think we may have a dodge there. IIRC the NTS daft requires support for > a particular one of the AES variants, I forget which. If it's not > available we just error out of TLS.
No. That requirement is for the NTP crypto, not TLS! -- Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
