[PATCH] OpenVPN: mark CBC ciphers as weak in WebUI
peter.mueller at ipfire.org
Mon Jun 10 20:08:00 BST 2019
thanks for your comments.
> I think I can ACK this although we definitely should change the default. I have raised that a couple of times before.
Yes. This is true for IPsec as well... Patch is in my pipeline...
> I also do not like having a very long list of ciphers that are weak. There are not too many left which are “strong”. But yeah, what can you do?
As far as I am concerned, there is little "strong" cryptography left indeed.
It's basically only TLS >= 1.2 with AEAD (e.g. GCM) ciphers and Forward Secrecy.
Speaking about RFC 8446, this is more or less what survived discussions before
standardizing TLS 1.3 ... :-)
> I will wait for Erik to ack this, too.
Thanks, and best regards,
The road to Hades is easy to travel.
-- Bion of Borysthenes
More information about the Development