So, if it’s “mandatory”, then it should be in the default set of ciphers, not necessarily the “HIGH” set.
I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that has subsequently found to be weaker than previously thought. -- -Todd Short // tsh...@akamai.com<mailto:tsh...@akamai.com> // "One if by land, two if by sea, three if by the Internet." On Feb 12, 2016, at 3:36 PM, Viktor Dukhovni <openssl-us...@dukhovni.org<mailto:openssl-us...@dukhovni.org>> wrote: On Feb 12, 2016, at 3:15 PM, Salz, Rich <rs...@akamai.com<mailto:rs...@akamai.com>> wrote: So is RC4 and we don't see that as HIGH. HIGH implies strength, not MTI-ness. Now let's not make stuff up: http://tools.ietf.org/html/rfc5246#section-9 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS-compliant application MUST implement the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the definition). http://tools.ietf.org/html/rfc4346#section-9 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA. http://tools.ietf.org/html/rfc2246#section-9 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. Since many users enable just HIGH ciphers, they must not exclude the MTI ciphers. -- -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev