This is a copy from https://bugzilla.redhat.com/show_bug.cgi?id=1062924
According to "Recommendation for Key Management," NIST Special Publication 800-57 Part 1 Rev. 3, 07/2012, one should use twice the number of bits of hash as the number of key bits in block cipher. For example, use a SHA256 with AES128. Yet, openssl cipher suite selection (openssl ciphers -v) contains lots of choices that violate this recommendation. SHA512 is not offered at all for AES256; SHA384 is the maximum. Further, SHA1 appears in quite a lot of ciphers suites. It has severe known weaknesses. Yet, unreasonable cipher suites with SHA1, like ECDHE-ECDSA-AES128-SHA even have higher priority than reasonable ones like DHE-RSA-AES128-SHA256. -- Peter Backes, [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
