LibreSSL languishes on Linux

Posted Jan 5, 2021 14:49 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
In reply to: LibreSSL languishes on Linux by wqweto
Parent article: LibreSSL languishes on Linux

TLS 1.2 supports AEAD just fine. Moreover, all the significant TLS 1.2 implementations have been supporting AES-GCM for at least a decade.

So AES-CBC is something that you'd want to use with >10 year old code that hasn't been upgraded since then.

LibreSSL languishes on Linux

Posted Jan 5, 2021 20:17 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

TLS 1.2 specifies TLS_RSA_WITH_AES_128_CBC_SHA as Mandatory To Implement. In theory a TLS 1.2 client that can't do TLS_RSA_WITH_AES_128_CBC_SHA is not compliant. (In principle an application profile could specify something different, but they don't)

Of course the IETF does not have an enforcement arm, if you don't want to implement arguably unsafe choices like TLS_RSA_WITH_AES_128_CBC_SHA then nobody will actually force you to do so. A TLS 1.2 client that only does ECDHE will work on a lot of the web today, and avoids any concerns with how unsafe RSA kex is, but it would not be compliant with the standard and isn't compatible enough that you could say, ship it in a mass market web browser today, likewise for AEAD suites.