[openssl-dev] [openssl.org #3627] Enhancement request: add more "Protocol" options for SSL_CONF_CTX
Steffen Nurpmeso via RT
rt at openssl.org
Thu Dec 11 13:04:19 UTC 2014
"Salz, Rich via RT" <rt at openssl.org> wrote:
|> Y causes a ciphersuite (or TLS version) to be dropped into VULNERABLE,
|I am more concerned about the case where a common crypto type \
|is broken, and zillions (a technical term :) of websites are \
|now at-risk because there wasn't an immediate OpenSSL update \
|that added the broken crypto to the VULNERABLE list, and \
|everyone didn't update immediately.
|
|Policy and configuration should be on a separate, arguably \
|faster, distribution pattern than code. Which is why I favor \
|a "profile" mechanism in openssl.conf and not hardwired magic \
|keywords embedded in code.
So you want a separate "openssl-conf" package. Fine, then provide
it and give an easy mechanism for applications to hook into it.
And for users to be able to overwrite system defaults.
But this has not that much to do with #3627.
|
|Perhaps modesty prevented you from posting the link, but it \
|won't stop me (we're both in the acknowledgements section :)
| https://tools.ietf.org/html/draft-ietf-uta-tls-bcp-07
I have to look into OCSP. (But it has nothing to do with #3627.)
--steffen
More information about the openssl-dev
mailing list