[openssl-users] Proposed cipher changes for post-1.0.2

Salz, Rich rsalz at akamai.com
Tue Feb 10 21:15:36 UTC 2015


I would like to make the following changes in the cipher specs, in the master branch, which is planned for the next release after 1.0.2

Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW

Anything that was 40-bit encryption is removed:
/* Cipher 03 "EXP-RC4-MD5" removed */
/* Cipher 06 "EXP-RC2-CBC-MD5" removed */
/* Cipher 08 "EXP-DES-CBC-SHA" removed */
/* Cipher 0B "EXP-DH-DSS-DES-CBC-SHA" removed */
/* Cipher 0E "EXP-DH-RSA-DES-CBC-SHA" removed */
/* Cipher 11 "EXP-DHE-DSS-DES-CBC-SHA" removed */
/* Cipher 14 "EXP-DHE-RSA-DES-CBC-SHA" removed */
/* Cipher 17 "EXP-ADH-RC4-MD5" removed */
/* Cipher 19 "EXP-ADH-DES-CBC-SHA" removed */
/* Cipher 26 "EXP-KRB5-DES-CBC-SHA" removed */
/* Cipher 27 "EXP-KRB5-RC2-CBC-SHA" removed */
/* Cipher 28 "EXP-KRB5-RC4-SHA" removed */
/* Cipher 29 "EXP-KRB5-DES-CBC-MD5" removed */
/* Cipher 2A "EXP-KRB5-RC2-CBC-MD5" removed */
/* Cipher 2B "EXP-KRB5-RC4-MD5" removed */

The value of DEFAULT changes to this:
                ALL:!LOW:!EXPORT:!aNULL:!eNULL

The combination of the first and last changes means that anyone who wants or needs to use, say RC4 must explicitly say so.

Comments?

--
Principal Security Engineer, Akamai Technologies
IM: rsalz at jabber.me<mailto:rsalz at jabber.me> Twitter: RichSalz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150210/d5e52303/attachment.html>


More information about the openssl-users mailing list