On Mon, May 11, 2015 at 11:25:33AM -0500, Nico Williams wrote:
> - If you don't want to depend on server certs, use anon-(EC)DH
> ciphersuites.
>
> Clients and servers must reject[*] TLS connections using such a
> ciphersuite but not using a GSS-authenticated application protocol.
[*] Except when employing unauthenticated encrypted communication
to mitigate passive monitoring (oportunistic security).
--
Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
