[openssl-dev] [openssl.org #3627] Enhancement request: add more "Protocol" options for SSL_CONF_CTX
Yoav Nir
ynir.ietf at gmail.com
Wed Dec 10 19:07:14 UTC 2014
> On Dec 9, 2014, at 1:24 PM, Steffen Nurpmeso via RT <rt at openssl.org> wrote:
>
> "Salz, Rich" <rsalz at akamai.com> wrote:
> |I think magic names -- shorthands -- are a very bad idea. \
>
> I _completely_ disagree.
>
> | They are point-in-time statements whose meaning evolves, \
> |if not erodes, over time.
>
> Because i don't think that a normal user, or even normal
> administrators and programmers is and are willing or even capable
> to understand what they are doing.
You are almost certainly far better qualified to make this decision than most administrators. Nevertheless, if upgrading OpenSSL from version X to version Y causes a ciphersuite (or TLS version) to be dropped into VULNERABLE, there are going to be angry phone calls from users whose browser or application has stopped working. It is the administrator who is going to get those phone calls, not you, and the decision of whether to enable an obsolete ciphersuite or to force the user/programmer to update is a political decision that you can’t make on their behalf.
So there’s bettercrypto.org and there’s Qualys and there’s this BCP document that the UTA working group at the IETF is writing, but ultimately we can’t shove security down people’s throat - just make good tools for them and provide (hopefully) good advice.
Yoav
More information about the openssl-dev
mailing list