[openssl-dev] Proposed cipher changes for post-1.0.2
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Feb 11 06:38:00 UTC 2015
On Wed, Feb 11, 2015 at 06:11:08AM +0000, Viktor Dukhovni wrote:
> I think these definitions should stay the same, but I have no
> objection to disabling RC4 in DEFAULT, or entirely removing
> EXPORT/LOW.
And also MD5 (which subsumes all SSLv2 cipher-suites).
Note that for most applications the correct approach to configuring
ciphersuites should be to start with DEFAULT and subtract what they
don't want. The library is then responsible for a generally sensible
default order and default exclusions.
For example, the below yields a compact list of cipher-suites with
little legacy baggage:
DEFAULT:!EXPORT:!LOW:!MD5:!RC4:!SRP:!PSK:!aDSS:!aDH:!SEED:!IDEA:!kECDHr:!kECDHe
A variant with RC4-SHA as a last resort would be:
DEFAULT:!EXPORT:!LOW:!MD5:!SRP:!PSK:!aDSS:!aDH:!SEED:!IDEA:!kECDHr:!kECDHe:+RC4
--
Viktor.
More information about the openssl-dev
mailing list