[openssl-users] recommended build options
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Mar 3 18:49:59 UTC 2016
On Thu, Mar 03, 2016 at 08:13:36AM -0500, Wall, Stephen wrote:
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> > Behalf Of Viktor Dukhovni
> >
> > By and large what should be off by default eventually or already
> > is, but there can be some delay for backwards compatibility.
> ...
> > With these you're covered for no-ssl2 no-comp and no weak ciphers.
>
> We are using 1.0.2f, no-ssl2 and no-comp do not appear to be defaults in
> that version. Should heartbeats be turned off, or have recent version of
> OpenSSL taken care of any potential weaknesses there?
Yes, you do need to disable "ssl2" in releases prior to 1.0.1s
and 1.0.2g.
Note that "no-comp" is a consequence of "zlib" and "zlib-dynamic"
not being enabled. You have to choose to turn compression on IIRC
by enabling one of these.
--
Viktor.
More information about the openssl-users
mailing list