[openssl-dev] Proposed cipher changes for post-1.0.2
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Feb 10 21:46:46 UTC 2015
On Tue, Feb 10, 2015 at 09:15:36PM +0000, Salz, Rich wrote:
> I would like to make the following changes in the cipher specs, in the master branch, which is planned for the next release after 1.0.2
>
> Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW
Note, that RC4 is already the only commonly used cipher-suite in MEDIUM.
Changing the definitions of EXPOR, LOW, MEDIUM introduces significant
compatibility issues for opportunistic TLS (e.g. Postfix) where
RC4 is still required for interop and is better than cleartext.
I have no issues with changing "DEFAULT", but would strongly prefer
to not see RC4 demoted to LOW. Just define:
DEFAULT = ALL:!aNULL:!EXPORT:!LOW:!RC4:!MD5
Which leaves from MEDIUM just SEED and IDEA:
$ openssl ciphers -v 'MEDIUM:!aNULL:!MD5:!RC4'
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA SSLv3 Kx=DH/RSA Au=DH Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA SSLv3 Kx=DH/DSS Au=DH Enc=SEED(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
--
Viktor.
More information about the openssl-dev
mailing list