[openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Tuesday, February 10, 2015 21:01
> To: openssl-dev at openssl.org; openssl-users at openssl.org
> Subject: Re: [openssl-users] [openssl-dev] Proposed cipher changes for
> post-1.0.2
> 
> On Wed, Feb 11, 2015 at 12:22:44AM +0000, Salz, Rich wrote:
> 
> > RC4 in LOW has a bit of pushback so far.  My cover for it is that
> > the IETF says "don't use it."  So I think saying "if you want it,
> > say so" is the way to go.
> 
> By all means, don't use it, but it is not OpenSSL's choice to make
> by breaking the meaning of existing interfaces.
> 
> If you put RC4 in LOW, one can no longer exclude LOW ciphers if
> one still needs RC4.  Nobody uses single-DES, but enough peers
> still use (only) RC4 to make disabling of RC4 a choice best made
> by applications.

I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it explicilty in DEFAULT) is a good one that maintains important backward compatibility while providing the desired removal of RC4 by default. There's no advantage to moving RC4 to LOW.

-- 
Michael Wojcik
Technology Specialist, Micro Focus



This message has been scanned for malware by Websense. www.websense.com