Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upSupport server cipher preference #89
Open
Conversation
Prefer server ciphers over client ciphers during the TLS handshake. Part of the ClientHello message client sends supported cipher suites in order of its preference. If tls-prefer-server-ciphers is when server choosing a cipher, use the server's preferences instead of the client preferences. The functionality is the same as the folowings: * ssl_prefer_server_ciphers in NGINX * SSLHonorCipherOrder in Apache * ...
|
Hi,
On Sun, Jul 16, 2017 at 01:23:21AM -0700, Szilárd Pfeiffer wrote:
-- Commit Summary --
* Support server cipher preference
Is there a good reason why one wouldn't want to enable this at all
times?
While the code is simple enough, adding yet another tls option is not
necessarily the best way forward - it will confuse people, cause extra
questions to be asked, and will eventually break things because the
testing requirement for "test with and without that option" just doubles.
gert
…--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de
|
|
On 2017-07-16 17:17, Gert Doering wrote:
Hi,
On Sun, Jul 16, 2017 at 01:23:21AM -0700, Szilárd Pfeiffer wrote:
> -- Commit Summary --
>
> * Support server cipher preference
Is there a good reason why one wouldn't want to enable this at all
times?
While the code is simple enough, adding yet another tls option is not
necessarily the best way forward - it will confuse people, cause extra
questions to be asked, and will eventually break things because the
testing requirement for "test with and without that option" just doubles.
First of all, I've just followed the method used by NGINX/Apache/... so
added an option.
Anyway, if there is a server configuration where tls-cipher is set
explicitly (by list of cipher suites), but in a bad order (for instance
RSA authentication is preferred over DHE), after the upgrade to a new
OpenVPN version, which forces the server's cipher preference order to
the clients, weaker cipher suite will be used than it had been used
before the upgrade.
Szilárd
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
c0r0n3r commentedJul 16, 2017
No description provided.