On 19/11/2014 22:37, Gilles Vollant wrote:
On https://support.microsoft.com/kb/2992611 we can read
Some customers have reported an issue that is related to the changes
in this release. These changes added the following new cipher suites
to Windows Server 2008 R2 and Windows Server 2012. In order to give
customers more control over whether these cipher suites are used in
the short term, we are removing them from the default cipher suite
priority list in the registry.
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
In other words, they disabled the stronger suites rather than
fixingthe actual compatibility issue (which was the removal of
anunnecessary "supported points format" extension, which was
sentinprevious versions).
So if Mr. Idrassi was right AND if OpenSSL 1.0.0/1.0.0a/1.0.0b
were the only affected clients, then this is not the best
possiblefix.
On the other hand, if some other SSL library would fail if
presented withthe 3 "new" suites (the GCM suites without
ECDSA certs), then their fix is correct and just helps the
old OpenSSL versions by chance.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
