Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
crypto [2014/03/28 19:00] mcb30 |
crypto [2024/02/20 11:23] (current) mcb30 |
||
|---|---|---|---|
| Line 9: | Line 9: | ||
| ^ Protocol versions | TLSv1.0 TLSv1.1 TLSv1.2 | | ^ Protocol versions | TLSv1.0 TLSv1.1 TLSv1.2 | | ||
| ^ Public-key algorithms | RSA | | ^ Public-key algorithms | RSA | | ||
| - | ^ Block cipher algorithms | AES-128-CBC AES-256-CBC | | + | ^ Key exchange algorithms | RSA DHE ECDHE | |
| - | ^ Hash algorithms | MD5 SHA-1 SHA-256 | | + | ^ Block cipher algorithms | AES-128-GCM AES-256-GCM AES-128-CBC AES-256-CBC | |
| + | ^ Hash algorithms | MD5 SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256 | | ||
| + | ^ Named curves | X25519 | | ||
| - | The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA, and RSA_WITH_AES_128_CBC_SHA. | + | The exact list of supported cipher suites is: |
| + | |||
| + | * TLS_RSA_WITH_AES_128_CBC_SHA | ||
| + | * TLS_DHE_RSA_WITH_AES_128_CBC_SHA | ||
| + | * TLS_RSA_WITH_AES_256_CBC_SHA | ||
| + | * TLS_DHE_RSA_WITH_AES_256_CBC_SHA | ||
| + | * TLS_RSA_WITH_AES_128_CBC_SHA256 | ||
| + | * TLS_RSA_WITH_AES_256_CBC_SHA256 | ||
| + | * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | ||
| + | * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | ||
| + | * TLS_RSA_WITH_AES_128_GCM_SHA256 | ||
| + | * TLS_RSA_WITH_AES_256_GCM_SHA384 | ||
| + | * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | ||
| + | * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | ||
| + | * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ||
| + | * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ||
| + | * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ||
| + | * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ||
| + | * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||
| + | * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||
| ===== Trusted root certificates ===== | ===== Trusted root certificates ===== | ||
| - | In the default configuration, iPXE trusts only a single root certificate: the {{:certs:ca.crt|"iPXE root CA" certificate}}. | + | In the default configuration, iPXE trusts only a single root certificate: the {{:certs:ca.crt|"iPXE root CA" certificate}}. This root certificate is used to cross-sign the standard [[https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt|Mozilla list of public CA certificates]]. |
| + | |||
| + | In the default configuration, iPXE will therefore automatically trust the same set of certificates as the [[https://www.mozilla.org/firefox/|Firefox]] web browser. | ||
| If you want more control over the chain of trust, then you can generate your own private root certificate ''ca.crt'' using: | If you want more control over the chain of trust, then you can generate your own private root certificate ''ca.crt'' using: | ||
