[openssl-dev] Proposed cipher changes for post-1.0.2

[Dr. Stephen Henson]

On Tue, Feb 10, 2015, Viktor Dukhovni wrote:

> 
> We should also recall that the master branch has introduced "security
> levels", which may still need some work to become production-ready,
> but are likely a better mechanism for applications to move to more
> secure settings than incompatible changes in existing interfaces.
> 

I'd agree that the best approach is to use security levels. This covers
a far wider set of parameters than just ciphersuites.

For example on the master branch the default security level is 1:

           The security level corresponds to a minimum of 80 bits of security.
           Any parameters offering below 80 bits of security are excluded. As
           a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys
           shorter than 160 bits are prohibited. All export ciphersuites are
           prohibited since they all offer less than 80 bits of security. SSL
           version 2 is prohibited. Any ciphersuite using MD5 for the MAC is
           also prohibited.

This happens no matter what the cipher string is set to (unless it forcibly
lowers the security level). So an application setting ALL will get the
above conditions.

In the light of poodle this could be ammended to make SSLv3 disabled at level
1 or above.

Currently level 1 is the only real general purpose default (due to widespread
use of SHA1 in certificates which offer less than 80 bits of security).

The levels could be extended so there is more than one usable level.

Security levels can currently only completely disable ciphersuites: this
could be extended so they can prioritise them instead. For example that
would allow the use of PFS+AEAD ciphersuites first, PFS not AEAD second
and as a last resort RC4 at some levels.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org