Re: still use "aNULL:!aNULL:" in Postfix default cipherlists when tls policy is mandatory, == encrypt?

Viktor Dukhovni Wed, 02 Aug 2017 00:26:58 -0700

On Tue, Aug 01, 2017 at 11:41:42PM +0000, Viktor Dukhovni wrote:

> To see what you'd get for a particular protocol version:
> 
>     $ /opt/openssl/1.1.0/bin/openssl ciphers -s -tls1 -V 
> 'CHACHA20:!aRSA:!aDSA:!PSK'
>     $ /opt/openssl/1.1.0/bin/openssl ciphers -s -tls1_1 -V 
> 'CHACHA20:!aRSA:!aDSA:!PSK'
>     $ /opt/openssl/1.1.0/bin/openssl ciphers -s -tls1_2 -V 
> 'CHACHA20:!aRSA:!aDSA:!PSK'
>             0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     
> Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD


For the record, that "!aDSA" should have been "!aDSS", though it
makes little difference in this example as no DSA (aka DSS) CHACHA
algorithms exist and none are likely to ever be added.

You can check with "openssl ciphers -v aDSS" vs. "openssl ciphers -v aDSA".

-- 
        Viktor.

Re: still use "aNULL:!aNULL:" in Postfix default cipherlists when tls policy is mandatory, == encrypt?

Reply via email to