[openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2

Viktor Dukhovni openssl-users at dukhovni.org
Wed Feb 11 01:21:37 UTC 2015

On Tue, Feb 10, 2015 at 06:17:38PM -0500, Daniel Kahn Gillmor wrote:

> On Tue 2015-02-10 16:15:36 -0500, Salz, Rich wrote:
> > I would like to make the following changes in the cipher specs, in the master branch, which is planned for the next release after 1.0.2
> >
> > Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW
> yes, please!

There are lots of ways to disable RC4:

    * You can do that in a browser, or any other application
    * The NCONF interface allows one to specify this in suitable
      configuration files.
    * Security levels can be similarly specified, ...
    * TLS 1.3 will not support RC4, ...

However, OpenSSL MUST NOT force this choice on applications or
require them to be explicitly modified to continue to support RC4.
It is NOT the library's job to set this policy.

> when these are "removed", what will that do to a cipherstring that
> specifies them by negation?
> currently, this is an error:
> 0 dkg at alice:~$ openssl ciphers -v ALL:!NO-SUCH-CIPHER
> bash: !NO-SUCH-CIPHER: event not found


    $ openssl ciphers -v 'RC4:!FOOBARXYZZY'
    ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
    ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
    AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
    ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
    ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
    ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
    RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
    RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
    RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
    PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
    EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
    EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
    EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export


More information about the openssl-users mailing list