From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 17553 invoked from network); 31 May 2021 11:54:39 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 31 May 2021 11:54:39 -0000 Received: from duke.felloff.net ([216.126.196.34]) by 1ess; Mon May 31 07:45:46 -0400 2021 Message-ID: Date: Mon, 31 May 2021 13:45:37 +0200 From: cinap_lenrek@felloff.net To: 9front@9front.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: ActivityPub over SSL pipelining firewall-aware realtime-java property layer Subject: Re: [9front] [patch] devtls updates Reply-To: 9front@9front.org Precedence: bulk that patch is stupid. who the hell uses sha512 as a digest? do not add more of this crap, it is OVER. the issue with the cipher+digest construction was that the padding schemes and the order of encryption and authentication turned out to have issues. modern tls cipher suits use aead ciphers where authentication and encryption are done together and the whole construction has been validated as a whole. such as: chacha20-poly1305 and aes-gcm. which we all support and it will get negotiated when avalable over the classic cypher+digest tls suits. adding more digest algorithms in devtls doesnt do anything. what matters is what tlshand.c negotiates and it has a curated list of cipher suits. in the end the server has the final say what cipher is picked. and in comparsion to mozilla we never had these downgrade attack issues because we did not just reconnect and try with a older version. -- cinap