Re: SSL connection issues, cipher questions -- MIDRANGE-L

This is a difficult question to answer, because things aren't as simple as "secure" or "not secure". Instead, there's a wide spectrum of varying degrees of ease of cracking the cryptography.

To put it another way: It's not all black or white, there are many shades of gray in between.

My opinion: This cipher uses an RSA non-ephemeral key exchange, and has a 128-bit key. 128-bit key is relatively weak by today's standards, and once broken the entire conversation will be completely visible to the attacker. I would not call this secure by today's standards.

By contrast, if you used a Diffie-Hellman ephemeral (DHE) key exchange, and the key is compromised, they'll only be able to see a part of the conversation because the key will change periodically. So this is more secure. Even better would be to use a 256 bit key.

But, it really depends on how big of a risk you're willing to take, how crucial your data is, etc.

I wonder why you don't just use a stronger cipher and be done with it?

On 1/27/2022 1:56 PM, Steinmetz, Paul via MIDRANGE-L wrote:

IBM is stating that TLS 1.2 cipher RSA_AES_128_GCM_SHA256 is safe and secure, can be used.

According to site ciphersuite.info it is weak, should be removed.
https://ciphersuite.info/search/?q=RSA_AES_128_GCM_SHA256

One of our main apps uses this cipher.
Our IT folks are asking I remove it, IBM states its ok.

How does one deal with conflicting statements regarding ciphers?

Paul

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.