aboutsummaryrefslogtreecommitdiffstats
path: root/doc/manual/tls.rst
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-12-28 14:04:20 -0500
committerJack Lloyd <[email protected]>2016-12-28 14:04:20 -0500
commit3233498b1529f267eb1d76963cba25edbb3335e2 (patch)
treea8b5f3f29d8a19bcd552d2baa772b6ce288fab3c /doc/manual/tls.rst
parentc26c554dde9d9a4f88f91764dc5dfa1416e152ff (diff)
Add note about CECPQ1 in TLS manual
[ci skip]
Diffstat (limited to 'doc/manual/tls.rst')
-rw-r--r--doc/manual/tls.rst16
1 files changed, 16 insertions, 0 deletions
diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst
index 16d8e4f08..77794657c 100644
--- a/doc/manual/tls.rst
+++ b/doc/manual/tls.rst
@@ -609,6 +609,22 @@ policy settings from a file.
Default: "CECPQ1", "ECDH", "DH"
+ .. note::
+
+ CECPQ1 key exchange provides post-quantum security to the key exchange
+ by combining NewHope with a standard x25519 ECDH exchange. This prevents
+ an attacker, even one with a quantum computer, from later decrypting the
+ contents of a recorded TLS transcript. The NewHope algorithm is very
+ fast, but adds roughly 4 KiB of additional data transfer to every TLS
+ handshake. And even if NewHope ends up completely broken, the 'extra'
+ x25519 exchange secures the handshake.
+
+ For applications where the additional data transfer size is unacceptable,
+ simply allow only ECDH key exchange in the application policy. DH
+ exchange also often involves transferring several additional Kb (without
+ the benefit of post quantum security) so if CECPQ1 is being disabled for
+ traffic overhread reasons, DH should also be avoid.
+
Also allowed: "RSA", "SRP_SHA", "ECDHE_PSK", "DHE_PSK", "PSK"
.. note::