Page MenuHome GnuPG

ntbtls: Require TLS 1.2 or later + AEAD by default
Closed, ResolvedPublic


Versions of TLS lower than 1.2, or which do not use an AEAD ciphersuite, are broken by Lucky13 unless very complex countermeasures are in place. They also have poor performance. These ciphersuites should be disabled by default

Event Timeline

DemiMarie created this object in space S1 Public.

ntbtls support only 1.2. We can't disable cipher suites for interop reasons. It is not the client's job trying to force a server 's admin to offer only decent ciphersuites.

werner triaged this task as Normal priority.Jun 16 2022, 6:37 PM
werner claimed this task.
werner added a project: Not A Bug.

I can't see what we shall do here.