[openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Feb 11 15:07:11 UTC 2015

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Tuesday, February 10, 2015 21:01
> To: openssl-dev at openssl.org; openssl-users at openssl.org
> Subject: Re: [openssl-users] [openssl-dev] Proposed cipher changes for
> post-1.0.2
> On Wed, Feb 11, 2015 at 12:22:44AM +0000, Salz, Rich wrote:
> > RC4 in LOW has a bit of pushback so far.  My cover for it is that
> > the IETF says "don't use it."  So I think saying "if you want it,
> > say so" is the way to go.
> By all means, don't use it, but it is not OpenSSL's choice to make
> by breaking the meaning of existing interfaces.
> If you put RC4 in LOW, one can no longer exclude LOW ciphers if
> one still needs RC4.  Nobody uses single-DES, but enough peers
> still use (only) RC4 to make disabling of RC4 a choice best made
> by applications.

I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it explicilty in DEFAULT) is a good one that maintains important backward compatibility while providing the desired removal of RC4 by default. There's no advantage to moving RC4 to LOW.

Michael Wojcik
Technology Specialist, Micro Focus

This message has been scanned for malware by Websense. www.websense.com

More information about the openssl-users mailing list