[openssl-users] recommended build options
swall at redcom.com
Thu Mar 3 13:13:36 UTC 2016
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> Behalf Of Viktor Dukhovni
> By and large what should be off by default eventually or already
> is, but there can be some delay for backwards compatibility.
> With these you're covered for no-ssl2 no-comp and no weak ciphers.
We are using 1.0.2f, no-ssl2 and no-comp do not appear to be defaults in that version. Should heartbeats be turned off, or have recent version of OpenSSL taken care of any potential weaknesses there?
> It may also be reasonable to disable "idea", "seed" and "rc2".
We provide config settings to disable ssl3, idea, and seed, though I think it'd probably be safe to drop idea and seed altogether. I believe heimdal uses rc2, which precludes disabling that one.
More information about the openssl-users