[openssl-dev] Proposed cipher changes for post-1.0.2
Salz, Rich
rsalz at akamai.com
Wed Feb 11 15:15:11 UTC 2015
> Note that for most applications the correct approach to configuring
> ciphersuites should be to start with DEFAULT and subtract what they don't
> want. The library is then responsible for a generally sensible default order
> and default exclusions.
I strongly disagree. Most applications should explicitly list the ciphers they DO want. That is the only way an application can be sure of what it is getting, without consulting external parties or configuration. Otherwise, when the next Crime or Poodle or NameOfTheWeek comes out, you have no idea if you are vulnerable or not unless you look at something like the OpenSSL source code.
For what it's worth, I believe that "security levels" make this problem much worse.
/r$
More information about the openssl-dev
mailing list