[openssl-dev] [openssl.org #3231] default ciphers include insecure export cipher suites
Viktor Dukhovni
openssl-users at dukhovni.org
Sun May 3 20:21:15 UTC 2015
On Sun, May 03, 2015 at 10:12:45PM +0200, Jeff Hodges via RT wrote:
> I disagree that this is closed with f417997a324037025be61737288e40e171a8218c.
> It only removes the EXPORT ciphers, but does not handle the LOW ones. It's
> 2015, and we can drop them by default now.
Likely so, I would guess that the single-DES LOW ciphers are/were
used even less than the EXPORT ciphers.
So yes, I think it is reasonable to also remove "LOW" from DEFAULT.
Mind you, removing EXPORT removes ephemeral RSA key transport,
which is a significant reduction in attack surface. Disabling
single DES just disables a cipher, so the benefit is not as great,
but I support doing it anyway..
--
Viktor.
More information about the openssl-dev
mailing list