[gnutls-devel] GnuTLS | Please prefer PFS ciphers over plain RSA ones. (#862)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Nov 23 20:56:33 CET 2019




Nikos Mavrogiannopoulos commented:


It is intentional that DHE-RSA is after RSA. The DHE-RSA ciphersuites have several issues under tls1.2 or earlier and the most important is that it in libraries like gnutls which enforce a consistent security level, they make it impossible for a client to recover from a server which sends a DH key which is below the bar. That is, unfortunately a very common misconfiguration, and this is why RSA is preferred to DHE.

See also:
https://www.gnutls.org/faq.html#prime-not-acceptable

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/862#note_249441003
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191123/47742d66/attachment.html>


More information about the Gnutls-devel mailing list