> On Feb 12, 2016, at 3:15 PM, Salz, Rich <rs...@akamai.com> wrote: > > So is RC4 and we don't see that as HIGH. HIGH implies strength, not MTI-ness.
Now let's not make stuff up: http://tools.ietf.org/html/rfc5246#section-9 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS-compliant application MUST implement the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the definition). http://tools.ietf.org/html/rfc4346#section-9 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA. http://tools.ietf.org/html/rfc2246#section-9 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. Since many users enable just HIGH ciphers, they must not exclude the MTI ciphers. -- -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
