Study: Should we remove support for CBC ciphersuites in TLS 1.2 #8169
Comments
|
I just found this issue after creating a duplicate one #9202. I've shared the link to the duplicate so I'm closing this one. |
github-project-automation
bot
moved this to Mbed TLS 4.0 SHOULD
in Backlog for Mbed TLS
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Task: evaluate what we want to do regarding removing support for CBC in TLS 1.2.
@mpg writes in #6792 (comment) :
AEAD has been the preferred option since at least 2015 (RFC 7525).
CBC requires complex counter-measures to Lucky 13, whose tests significantly slow down the SSL test suite and which would require a special case when we get around to isolating session secrets with PSA.
Removing it would get rid of that, plus allow getting rid of the Encrypt-then-MAC extension.
OTOH, last time we checked, some IoT / M2M standards were still mandating CBC ciphersuites. See also #3854
(Also, the mandatory-to-implement ciphersuite for TLS 1.2 is TLS_RSA_WITH_AES_128_CBC_SHA, but RFC 7525 (which has official Best Current Practices status) encourages implementors to ignore that.)
--
However, some protocols mandate CBC - see discussion in #3854
The text was updated successfully, but these errors were encountered: