[openssl-dev] Proposed cipher changes for post-1.0.2
Marcus Meissner
meissner at suse.de
Wed Feb 11 16:09:22 UTC 2015
On Wed, Feb 11, 2015 at 03:15:11PM +0000, Salz, Rich wrote:
> > Note that for most applications the correct approach to configuring
> > ciphersuites should be to start with DEFAULT and subtract what they don't
> > want. The library is then responsible for a generally sensible default order
> > and default exclusions.
>
> I strongly disagree. Most applications should explicitly list the ciphers they DO want. That is the only way an application can be sure of what it is getting, without consulting external parties or configuration. Otherwise, when the next Crime or Poodle or NameOfTheWeek comes out, you have no idea if you are vulnerable or not unless you look at something like the OpenSSL source code.
>
> For what it's worth, I believe that "security levels" make this problem much worse.
Our customers during the last SSL exploits were hoping for a global configuration
file actually to change cipher preferences.
Something that is present in 1.0.2 although I have not checked it deeply yet.
Ciao, Marcus
More information about the openssl-dev
mailing list