On 07/26/2018 01:34 PM, Hallvard Breien Furuseth wrote:
On 26. juli 2018 09:04, Dieter Klünter wrote:
Am Thu, 26 Jul 2018 08:19:34 +0200 schrieb Michael Ströder michael@stroeder.com:
I really wonder why it was set to 71.
As Kurt mentioned on 1st. LDAPCon in Cologne, it is higher value than 56 and less than 128.
I.e. between DES (56) and "RC4, Blowfish and other modern strong ciphers" (128) described for olcSaslSecProps minssf in man slapd-config. Also lower than triple DES (112).
Well, the references to 3DES and RC4 shows that the whole SSF concept is broken anyway. No-one would assume RC4 to have SSF=128 anymore.
This is a can of worms. The OpenSSL folks also had to adjust there cipher sets behind the labels HIGH etc. recently. This should be subject of on-going changes.
The CyrusSASL project also sets SSF levels which I'd consider outdated. Well, the project seems pretty much dead anyway.
Ciao, Michael.