[stunnel-users] question about Ephemeral Diffie-Hellman
Guylhem
stunnel at guylhem.net
Wed Mar 21 16:33:34 CET 2012
Hello,
On Wed, Mar 21, 2012 at 11:50, Michal Trojnara <Michal.Trojnara at mirt.net> wrote:
> Benchmarking worst case scenarios may look like a
> good idea, but it is not a reasonable approach to bottleneck identification.
Very true.
At the moment, I'm just preparing a test setup, making sure I have a
configuration following best practices as a reference point for the
comparison.
>> Is it possible to disable EDH? If so, how? I couldn't find any info on
>> that.
>
> The answer is in the article you quoted.
> Stunnel option is "ciphers":
Thanks - however from the manpage it seems to be a positive list only
using a different format, while the article use ! for exclusions.
If PFS is to be sacrified, would the following line (based on the
article) be ok ? If not, what would be stunnel equivalent?
ciphers=ALL:!kEDH:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:RC4 RSA: HIGH;
And if PFS is to be kept:
ciphers=ALL:ECDHE:!kEDH:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:RC4
RSA: HIGH;
Guylhem
More information about the stunnel-users
mailing list