From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] OpenVPN: mark CBC ciphers as weak in WebUI Date: Mon, 10 Jun 2019 19:08:00 +0000 Message-ID: <8edaf74e-2912-1d32-9c23-234e1eadf1d2@ipfire.org> In-Reply-To: <4FDE0AC7-76CB-4B9A-A5D3-E77EE9DFED5C@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5366068187203582470==" List-Id: --===============5366068187203582470== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your comments. > Hi, >=20 > I think I can ACK this although we definitely should change the default. I = have raised that a couple of times before. Yes. This is true for IPsec as well... Patch is in my pipeline... >=20 > I also do not like having a very long list of ciphers that are weak. There = are not too many left which are =E2=80=9Cstrong=E2=80=9D. But yeah, what can = you do? As far as I am concerned, there is little "strong" cryptography left indeed. It's basically only TLS >=3D 1.2 with AEAD (e.g. GCM) ciphers and Forward Sec= recy. Speaking about RFC 8446, this is more or less what survived discussions before standardizing TLS 1.3 ... :-) >=20 > I will wait for Erik to ack this, too. >=20 > -Michael Thanks, and best regards, Peter M=C3=BCller --=20 The road to Hades is easy to travel. -- Bion of Borysthenes --===============5366068187203582470==--