10 Jun
2019
10 Jun
'19
7:08 p.m.
Hello Michael,
thanks for your comments.
Hi,
I think I can ACK this although we definitely should change the default. I have raised that a couple of times before.
Yes. This is true for IPsec as well... Patch is in my pipeline...
I also do not like having a very long list of ciphers that are weak. There are not too many left which are “strong”. But yeah, what can you do?
As far as I am concerned, there is little "strong" cryptography left indeed. It's basically only TLS >= 1.2 with AEAD (e.g. GCM) ciphers and Forward Secrecy.
Speaking about RFC 8446, this is more or less what survived discussions before standardizing TLS 1.3 ... :-)
I will wait for Erik to ack this, too.
-Michael
Thanks, and best regards, Peter Müller
--
The road to Hades is easy to travel.
-- Bion of Borysthenes