DH group cipher suites getting rejected

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

DH group cipher suites getting rejected

Chitrang Srivastava
Hi,

Why google rejected DH ciphers suites, I am trying 
openssl s_client -cipher 'DHE-RSA-AES128-GCM-SHA256' -connect www.google.com:443
However if I try ECDHE, it works fine. Is DHE only cipher suites less common now ?
I believe its responsibility of server to generate DHparam of large enough size.

Thanks


Reply | Threaded
Open this post in threaded view
|

Re: DH group cipher suites getting rejected

OpenSSL - User mailing list
  • However if I try ECDHE, it works fine. Is DHE only cipher suites less common now ?
  • I believe its responsibility of server to generate DHparam of large enough size.


Yes, DHE has dropped because it is hard to get right, and it takes more CPU cycles than ECDHE.