[openssl-dev] Proposed cipher changes for post-1.0.2
Steffen Nurpmeso
sdaoden at yandex.com
Fri Feb 13 13:02:27 UTC 2015
Hello,
Nikos Mavrogiannopoulos <nmav at redhat.com> wrote:
|On Thu, 2015-02-12 at 18:39 +0100, Steffen Nurpmeso wrote:
|> And i want to point to OPENSSL_config(3) which states for a longer
|> time duration:
|>
|> It is strongly recommended that all new applications call
|> OPENSSL_config() or the more sophisticated functions such as
|> CONF_modules_load() during initialization (that is \
|> before starting any
|> # /etc/openssl.rc
|> [ciphers]
|> DEFAULT=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
|> !ALL=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
|>
|> so that a user could do
|>
|> # ~/.openssl.rc
|> [ciphers]
|> DEFAULT=ECDHE-RSA-AES256-GCM-SHA384
|
|Some time ago, I had submitted a patch which allows administrators, but
|most importantly OS distributors to set their own strings in the
|configuration file, which software can then rely on, to provide a
|consistent security level: https://github.com/openssl/openssl/pull/192
sorry, i haven't seen that yet. Of course, definining their very
own profile in a special namespace is i think also a great option
for users.
--steffen
More information about the openssl-dev
mailing list