[CentOS] SSH Weak Ciphers

Wed Oct 19 20:40:10 UTC 2016
Alice Wonder <alice at domblogger.net>

On 10/19/2016 11:34 AM, Leonard den Ottolander wrote:
> Hello Gordon,
>
*snip*
>
> Personally I would be more concerned whether or not to enable ECDSA
> algorithms (https://blog.cr.yp.to/20140323-ecdsa.html).
>
> Regards,
> Leonard.
>

For web server ECDSA certs is currently a concern because the only 
curves with popular support across browsers have parameters that were 
chosen for undocumented reasons.

That doesn't mean they are vulnerable but there is a question.

OpenSSH uses Curve25519 for ECDSA which has documented reasons for the 
parameters chosen and thus are far less likely to be nefariously chosen.

At least that's my understanding of the situation, which could be flawed.