<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 13 February 2016 at 00:16, Viktor Dukhovni <span dir="ltr"><<a href="mailto:openssl-users@dukhovni.org" target="_blank">openssl-users@dukhovni.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> On Feb 12, 2016, at 6:55 PM, Richard Moore <<a href="mailto:richmoore44@gmail.com">richmoore44@gmail.com</a>> wrote:<br>
><br>
> Personally I think the fact that HIGH includes ciphersuites that offer no MITM protection means that those who trust it have already been totally betrayed.<br>
<br>
</span>The correct way to use high-grade ciphers is.<br>
<br>
"DEFAULT:!EXPORT:!LOW:!MEDIUM"<br>
<br>
The various individual cipherlist building blocks are properly orthogonal,<br>
and HIGH/MEDIUM/LOW/EXPORT covers only the symmetric algorithm strength.<br>
<br>
One can also use it safely via constructs such as "HIGH:!aNULL:!aDSS:!kRSA"<br>
(if say one also wants to disable DSA and RSA key transport).<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline">Yeah, the apache docs didn't say this for /many/ years and it was rejected when I reported it as a security problem. The docs had been correct I believe with some older versions of openssl but the more general point is that users need a setting that doesn't require expertise, a decoder ring or a secret handshake. I think we need to reach a point where DEFAULT is the only sensible option for users without extensive expertise and means to ensure that they don't make things worse by mistake. HIGH currently is a dangerous option.</div></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline">Rich.</div></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline"></div> </div></div></div></div>