[openssl-dev] [openssl.org #3919] ssl.h uses ALL in its default cipher list
noloader@gmail.com via RT
rt at openssl.org
Sun Jun 21 22:14:38 UTC 2015
The following is from ssl.h, around line 285:
/*
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL"
Its 2015, and its probably best to change that to something like:
# define SSL_DEFAULT_CIPHER_LIST "HIGH:!aNULL:!eNULL"
Or:
# define SSL_DEFAULT_CIPHER_LIST "HIGH:!aNULL:!eNULL:!RC4:!MD5"
I personally have less of a problem with MD5 in this context because
the HMAC must be broken in 2-MSL, and many/most attackers cannot do
it. But its a compliance thing....
Also, browser are now warning about outputted cryptography, that
includes the LOW and MEDIUM stuff (and RC4 and MD5). For example, see
http://security.stackexchange.com/q/83831 and
http://stackoverflow.com/q/30270788. So anything using OpenSSL with
those settings could cause problems for unsuspecting users.
The change also means the library is more secure out of the box, and
easier to use correctly and harder to use incorrectly.
For those who want Opportunistic Security
(http://tools.ietf.org/html/rfc7435), they can use different settings
that suite their taste.
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list