[openssl-dev] Proposed cipher changes for post-1.0.2
Hubert Kario
hkario at redhat.com
Wed Feb 11 11:59:22 UTC 2015
On Tuesday 10 February 2015 21:46:46 Viktor Dukhovni wrote:
> On Tue, Feb 10, 2015 at 09:15:36PM +0000, Salz, Rich wrote:
> > I would like to make the following changes in the cipher specs, in the
> > master branch, which is planned for the next release after 1.0.2
> >
> > Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW
>
> Note, that RC4 is already the only commonly used cipher-suite in MEDIUM.
>
> Changing the definitions of EXPOR, LOW, MEDIUM introduces significant
> compatibility issues for opportunistic TLS (e.g. Postfix) where
> RC4 is still required for interop and is better than cleartext.
Opportunistic TLS is a-typical use of TLS. One that is vulnerable to trivial
MitM attacks by the very definition. Using "ALL", possibly "ALL:!aNULL",
instead of "DEFAULT" doesn't make it much less secure.
--
Regards,
Hubert Kario
More information about the openssl-dev
mailing list