<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/nmav">Nikos Mavrogiannopoulos</a>

commented:

</p>

<div style="">

<p dir="auto">The rationale for the removal is:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">These ciphersuites are deprecated since the introduction of AEAD</span>

<span id="LC2" class="line" lang="plaintext">ciphersuites, and are only necessary for compatibility with older</span>

<span id="LC3" class="line" lang="plaintext">servers. Since older servers already support hmac-sha1 there is</span>

<span id="LC4" class="line" lang="plaintext">no reason to keep these ciphersuites enabled by default, as they</span>

<span id="LC5" class="line" lang="plaintext">increase our attack surface.</span></code></pre>

<p dir="auto">The longer version is that these ciphersuites are harder to secure in terms of lucky13-type of attacks, and thus significantly increase the attack surface. Their security is no better than HMAC-SHA1 (SHA1 is a weak signature algorithm but still a very strong hmac algorithm), thus there is no reason to enable them. Would it be reasonable for software which really needs to connect to windows RDP servers to enable these algorithms explicitly?</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/831#note_215339646">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/c2d638c4bbfb02804f4da9ea1289b706/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/831#note_215339646"}}</script>

</p>

</div>

</body>

</html>