Re: [TLS] FFDHE and SHOULDs on usage

Hubert Kario <> Mon, 20 April 2015 12:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0033F1A1BE7 for <>; Mon, 20 Apr 2015 05:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.512
X-Spam-Status: No, score=-5.512 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2OeukZ6ols42 for <>; Mon, 20 Apr 2015 05:41:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BE51E1A1BF1 for <>; Mon, 20 Apr 2015 05:41:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id 1A86FAC7A9; Mon, 20 Apr 2015 12:41:53 +0000 (UTC)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id t3KCfp4R005633 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 20 Apr 2015 08:41:53 -0400
From: Hubert Kario <>
Date: Mon, 20 Apr 2015 14:41:45 +0200
Message-ID: <>
User-Agent: KMail/4.14.4 (Linux/3.19.3-100.fc20.x86_64; KDE/4.14.6; x86_64; ; )
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3449153.6U6TQhFFqa"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on
Archived-At: <>
Subject: Re: [TLS] FFDHE and SHOULDs on usage
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Apr 2015 12:42:00 -0000

On Saturday 18 April 2015 05:10:52 Martin Rex wrote:
> Daniel Kahn Gillmor wrote:
> >> Groups are ordered based on client preference, noting the additional
> >> ordering considerations in Section 6.1.
> > 
> > Also, this rewrite says "ordered based on client preferences" but
> > doesn't indicate which order based on client preferences: most preferred
> > to least preferred or the other way around.  It may be pedantic, but
> > this is exactly the sort of pedantry that RFCs should include.
> Could we just scrap the "based on xxx preference" nonsense entirely?
> The sender of the list sends whatever it sees fit, and the receiver
> of the list has the privilege to pick what ever the receiver believes
> is most appropriate from the receivers point of view.
> I never understood why (a) such a silly suggestion was made for
> the ordering of cipher suites in ClientHello and (b) why any TLS server
> implementaion would care for the client's ordering rather than enforcing
> the server preference.  If the client does not want something, it must
> not offer it.  If the server does not want something, it must not pick it.

If you have a relatively recent desktop CPU you don't care if you're using AES 
or ChaCha20. But if you're on a CPU which doesn't have a hardware acceleration 
for AES and is relatively slow (think mobile ARM), then you really would 
prefer ChaCha20 cipher over AES.

So server should _consider_ client preference. And the clients should have an 
order which is sane.
Hubert Kario
Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic