[openssl-dev] Proposed cipher changes for post-1.0.2
Hubert Kario
hkario at redhat.com
Wed Feb 11 12:01:14 UTC 2015
On Tuesday 10 February 2015 21:15:36 Salz, Rich wrote:
> I would like to make the following changes in the cipher specs, in the
> master branch, which is planned for the next release after 1.0.2
>
> Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW
>
> Anything that was 40-bit encryption is removed:
> /* Cipher 03 "EXP-RC4-MD5" removed */
> /* Cipher 06 "EXP-RC2-CBC-MD5" removed */
> /* Cipher 08 "EXP-DES-CBC-SHA" removed */
> /* Cipher 0B "EXP-DH-DSS-DES-CBC-SHA" removed */
> /* Cipher 0E "EXP-DH-RSA-DES-CBC-SHA" removed */
> /* Cipher 11 "EXP-DHE-DSS-DES-CBC-SHA" removed */
> /* Cipher 14 "EXP-DHE-RSA-DES-CBC-SHA" removed */
> /* Cipher 17 "EXP-ADH-RC4-MD5" removed */
> /* Cipher 19 "EXP-ADH-DES-CBC-SHA" removed */
> /* Cipher 26 "EXP-KRB5-DES-CBC-SHA" removed */
> /* Cipher 27 "EXP-KRB5-RC2-CBC-SHA" removed */
> /* Cipher 28 "EXP-KRB5-RC4-SHA" removed */
> /* Cipher 29 "EXP-KRB5-DES-CBC-MD5" removed */
> /* Cipher 2A "EXP-KRB5-RC2-CBC-MD5" removed */
> /* Cipher 2B "EXP-KRB5-RC4-MD5" removed */
>
> The value of DEFAULT changes to this:
> ALL:!LOW:!EXPORT:!aNULL:!eNULL
>
> The combination of the first and last changes means that anyone who wants or
> needs to use, say RC4 must explicitly say so.
>
> Comments?
Maybe we should also move 3DES to MEDIUM? Given that this is effectively a 112
bit cipher...
Also, what about changing order so that 128bit+ AEAD and PFS are preferred
over other ciphers (including 256 bit ones)?
--
Regards,
Hubert Kario
More information about the openssl-dev
mailing list