On Tue, Jun 02, 2015 at 02:01:47PM +0000, Thorsten Glaser wrote:
Michael Stone <mstone <at> debian.org> writes:You can mitigate it right now by reconfiguring your server to remove DH ciphers from SSLCipherSuite.That’s throwing the baby out with the bathwater and removing the ability to use PFS with clients that do not use ECC, for whatever reason (any discussing these reasons is off-topic). So, no. Bad advice, actually, which should not be given.
That's really something you need to evaluate for yourself. If you've got a reason not to use ECDH and still want PFS then you'll have to do something else. If you're happy to use ECDH and don't care about clients that can't support that, then turning off DH could be a reasonable mitigation. From a practical risk management perspective, even in the face of a threat model that involves attacking crypto, I'd be more worried about the vulnerabilities of something that's so old that it doesn't do ECDH than I'd be about any quibbles over DH vs RSA. If your concern is simply about the security of ECDH then this goes back to "evaluate for yourself". Hopefully someone considers all the pros and cons of whatever crypto configuration they're using.
Mike Stone