[openssl-dev] Proposed cipher changes for post-1.0.2

Hubert Kario hkario at redhat.com
Wed Feb 11 12:10:48 UTC 2015


On Wednesday 11 February 2015 02:00:50 Viktor Dukhovni wrote:
> On Wed, Feb 11, 2015 at 12:22:44AM +0000, Salz, Rich wrote:
> > RC4 in LOW has a bit of pushback so far.  My cover for it is that
> > the IETF says "don't use it."  So I think saying "if you want it,
> > say so" is the way to go.
> 
> By all means, don't use it, but it is not OpenSSL's choice to make
> by breaking the meaning of existing interfaces.
> 
> If you put RC4 in LOW, one can no longer exclude LOW ciphers if
> one still needs RC4.  Nobody uses single-DES, but enough peers
> still use (only) RC4 to make disabling of RC4 a choice best made
> by applications.

if you upgrade to a new minor version of library and don't check configuration 
afterwards you're part of the problem

example? "ALL:!ADH" and variations of thereof


It *IS* the libraries duty to update the policies. Changing policies in the 
hundreds of applications that use it every time a cipher or protocol is broken 
is insanity.

All the keyword definitions in ciphers(1) use the word "currently".
-- 
Regards,
Hubert Kario


More information about the openssl-dev mailing list