weak cipher in TLS?

Roger Dingledine arma at mit.edu
Sun Nov 22 04:42:58 UTC 2009


On Sat, Nov 21, 2009 at 10:42:30PM +0100, moris blues wrote:
> i red in the tor-spec, that: 
> 
> In "backwards-compatible renegotiation", the connection initiator's
> ClientHello MUST include at least one ciphersuite other than those listed
> above.
> 
> Does this mean that a different algorithm can be used that is not in the list?
> Then it could theoretically unsafe Algo as DES are being used? 

No, it means that a different algorithm (e.g. DES) could be *offered*.

Generally in cipher negotiations, one side offers a wide variety of
ciphers, and then the other either picks one it's comfortable with,
or refuses to pick any of them.

Correctly-behaving Tor clients (for example, the one we wrote) will only
accept ciphers with sufficient security properties.

   Responders MUST NOT select any TLS ciphersuite that lacks ephemeral keys,
   or whose symmetric keys are less then KEY_LEN bits, or whose digests are
   less than HASH_LEN bits.  Responders SHOULD NOT select any SSLv3
   ciphersuite other than those listed above.

("Those listed above" are basically DHE, RSA/DSS, AES/3DES, and SHA1.)

--Roger

***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list