> On May 28, 2018, at 5:27 PM, Michal Trojnara <michal.trojn...@stunnel.org>
> wrote:
>
> - The default cipher list was updated to a safer value:
> "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".
I am rather puzzled as to why you chose to eliminate
not just fixed DH, but also the ephemeral finite-field
DH key exchange. What's wrong with the DHE ciphers?
I would have chosen:
HIGH:!aNULL:!kDH:!kECDH:!MD5
which excludes the *fixed* DH/ECDH ciphers and MD5
(and thus also SSLv2). This does not eliminate
ephemeral finite-field DH, not sure why you're doing
that...
--
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users