[Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
Richard Laager
rlaager at wiktel.com
Fri Feb 8 21:01:37 UTC 2019
On 2/7/19 6:37 PM, Gary E. Miller via devel wrote:
> Yo Richard!
>
> On Fri, 08 Feb 2019 00:26:27 +0000
> Matt Selsky via vc <vc at ntpsec.org> wrote:
>
>> dc2827a3 by Richard Laager at 2019-02-07T18:42:59Z
>> nts.adoc: Make AEAD_AES_SIV_CMAC_256 not implicit
>>
>> If the user specifies a NTPCipherSuite string, they need to include
>> AEAD_AES_SIV_CMAC_256 if they want it. Otherwise, if it is implicit,
>> as the document previous said, this would preclude the user from
>> disabling AEAD_AES_SIV_CMAC_256 in the future, should that become
>> necessary.
>
> The traditional way that OpenSSL, and its users (Apache, nginx, postfix,
> sendmail, etc.) hand this is with the "!" operator.
I'm aware of the ! operator in OpenSSL cipher strings.
The point of my edit was to replace text which violated the usual
conventions. The previous text was saying that whatever you specified
would have AEAD_AES_SIV_CMAC_256 added onto it. For example,
"AEAD_AES_GCM_256" would actually mean
"AEAD_AES_GCM_256:AEAD_AES_SIV_CMAC_256" (or
"AEAD_AES_SIV_CMAC_256:AEAD_AES_GCM_256", that part wasn't clear). That
is definitely not how cipher strings normally work, and is undesirable.
In fact, even with the ! operator, if the client is going to add ciphers
*after* processing the cipher string, that's not going to work.
--
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190208/dbf1ceed/attachment.bin>
More information about the devel
mailing list