Am 06.11.2013 21:35, schrieb Thijs Alkemade:
> 
> On 6 nov. 2013, at 21:23, Philipp Hancke <fi...@goodadvice.pages.de> wrote:
> 
>> Am 06.11.2013 21:02, schrieb Alexander Holler:
>>> Not exactly the same, but I don't like the part
>>>
>>> "or require cipher suites that enable forward secrecy"
>>>
>>> for the same reason. OpenSSL 1.x isn't around that long, and there are
>>> still many systems which do use e.g. Debian squeeze. And I assume the
>>> state of OpenSSL on other "stable" systems like e.g. SLES or RHEL isn't
>>> much better (but that's just an assumption from me).
>>
>> DHE/EDH suites have been around at least since 2006 (openssl 0.9.8d is the 
>> oldest binary i have access to).
> 
> http://www.openssl.org/news/changelog.html suggests since as early as 1999.

Maybe, I haven't looked in detail why PFS isn't avaulable (enabled) on
my squeeze system (by default) as I'm already unhappy with the state of
TLS and therefor moved the deeper look into that problem until after
I've upgraded the system.

But I still don't think that it is a good idea to already make it a
requirement for servers (and thus clients). It might make sense to make
support of that mandatory for service providers, but already enforcing
world+dog to use it shouldn't be done.

But thanks for the hint, maybe I will now look why it isn't enabled. ;)

Regards,

Alexander Holler

_______________________________________________
JDev mailing list
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: jdev-unsubscr...@jabber.org
_______________________________________________

Reply via email to