sks-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Recommended HKPS protocols & ciphersuites?


From: David Benfell
Subject: Re: [Sks-devel] Recommended HKPS protocols & ciphersuites?
Date: Sun, 3 Aug 2014 18:02:19 -0700
User-agent: Mutt/1.5.23 (2014-03-12)

On Sun, Aug 03, 2014 at 11:13:39PM +0200, Pete Stephenson wrote:
> 
> That's a good selection. You might also consider !NULL, !EXP, and !SRP
> -- with openssl 1.0.1f on my system, your list includes those options.
> Null and export ciphers are always a bad thing.
> 
> The current recommendation from Qualys[1] is to use TLSv1/1.1/1.2 with:
> SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
> EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

I've plugged this list in. I now allow the Yandex bot, but IE6 and
some Java something or other are still out of luck. The percentages on
the Qualys SSL test look pretty much the same as what I had and, of
course, I still have the A+ rating (with a 4096-bit key, by the way).
> 
> However, that recommendation is primarily for web browsers. I have no
> idea what SSL/TLS capabilities are available to HKPS-capable OpenPGP
> clients, so I don't know if leaving out SSLv3 is a problem, if old
> clients support PFS, or if it'd be necessary to include 3DES/RC4 as a
> fallback.
> 
I see that there are issues here and I don't fully understand what's
going on. What I do know is that when I was running an XMPP server and
tried to improve my A- grade at xmpp.net, I failed miserably. (But
then I also failed to find the list you had found at Qualys.)

But of course that's XMPP, which is so much of a mess that when
confronted with trying to sort it out yet again with the move to
FreeBSD, I just gave up.

> Very limited (2-3 queries) testing suggests that gnupg-curl on Debian
> systems supports DHE-RSA-AES256-SHA256 with TLSv1.2. Another query is
> from a random user and their OpenPGP client supports TLSv1.2 and
> ECDHE-RSA-AES256-GCM-SHA384; not even modern web browsers support that
> yet, so I'm impressed.
> 
> P.S. I sent you a message a few days ago regarding peering but your
> server is bouncing it with "450 4.3.2 Service currently unavailable".

Hopefully we're talking now. I added you to my membership list and
sent a response. This conversion has been a bit messier than ones I've
gone through in the past.


-- 
David Benfell <address@hidden>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.

Attachment: pgpd8s_rWM3Fk.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]