[jdev] manifesto 0.4
Kwadronaut at autistici.org
Thu Nov 7 07:04:04 UTC 2013
On 06/11/13 21:02, Alexander Holler wrote:
> Am 30.10.2013 15:58, schrieb Thijs Alkemade:
>> On 30 okt. 2013, at 15:53, Tomasz Sterna <tomek at xiaoka.com> wrote:
>>> Dnia 2013-10-30, śro o godzinie 01:21 +0100, Mathieu Pasquet pisze:
>>>> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
>>>> supported initially (doesn’t xmpp appear after SSLv3 was
>>>> standardized?), but dropping SSLv3, while also a good idea, might
>>>> cause issues with lots of servers
>>> And discouraging TLSv1 in favor of TLSv1.2 when latest OpenSSL does not
>>> even support TLSv1.1 nor v1.2 is a pie-in-the-sky.
>> OpenSSL supports TLS 1.2 since 1.0.1 (and I think TLS 1.1 since the same
>> version), released March 14th, 2012.
> Not exactly the same, but I don't like the part
> "or require cipher suites that enable forward secrecy"
That in itself isn't bad at all, rather the opposite, it's great. But
yes, what are the implications of a push towards this?
Openssl supports and accepts 16-bit DHE-group.  Current Java 6&7
don't like any DHE >1024bits (workaroud exists by using Bouncycastles
JCE). Without looking at what is still around as Alexander did, I wonder
about the consequences of such a push. When choosing the wrong thing we
might be *worse* off. I don't feel this is addressed in
And the best of it all: we don't have a way to negotiate the size of the
DHE, whatever the server sends is to be used. .
Would it be possible to change the wording in a meaningful way to either
make operators more aware of the pitfalls and/or make sure that they're
not actually downgrading what they currently use? Other opinions? Am I
overlooking some things?
More information about the JDev