[openssl-dev] [openssl.org #3627] Enhancement request: add more "Protocol" options for SSL_CONF_CTX
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Dec 10 19:26:00 UTC 2014
On 12/10/2014 12:59 PM, Salz, Rich via RT wrote:
>> Personally i am willing to put enough trust in the OpenSSL team *even
>> insofar* as i now do 'set ssl-protocol="ALL,-VULNERABLE"'
>> and leave the task of deciding what is VULNERABLE up to you.
>
> That is not a responsibility we want. No how, no way. It is enough to be responsible for the code.
this is disappointing. The OpenSSL team is in the best position to
provide sane and simple defaults/profiles, and to have those mechanisms
be upgraded smoothly without applications or admins needing to know
about them. Requiring administrators to tweak every application that
uses TLS is a losing battle, and pretty much guarantees that we'll be
keeping users with less-secure or outdated configurations.
Programs which use the OpenSSL library generally just want to flip a
switch and know that they've "turned on security", instead of trying to
expose dozens of complex controls to the user or administrator. The
closer OpenSSL can come to that ideal, the more likely its users will
have reasonably strong crypto without having to learn the dirty dirty
details and history of TLS and its predecessors.
> There are better alternatives, including bettercrypto.org and another proposal from RedHat to have site/distro-specific 'profiles'
I am happy that both of these things exist, but they don't preclude
OpenSSL providing something and they shouldn't need to be as complex as
they are.
The configuration recommendations in bettercrypto.org are *at best* an
ugly workaround to the lack of sane and simple mechanisms in the
projects it supports.
I'd love to see a version of bettercrypto.org that only has to say "to
configure OpenSSL version 1.0.3 and higher, you should use the string
BEST_PRACTICE"
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://mta.opensslfoundation.net/pipermail/openssl-dev/attachments/20141210/0d908714/attachment.sig>
More information about the openssl-dev
mailing list