[openssl-users] recommended build options

Wall, Stephen swall at redcom.com
Thu Mar 3 13:13:36 UTC 2016


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> Behalf Of Viktor Dukhovni
> 
> By and large what should be off by default eventually or already
> is, but there can be some delay for backwards compatibility.
...
> With these you're covered for no-ssl2 no-comp and no weak ciphers.

We are using 1.0.2f, no-ssl2 and no-comp do not appear to be defaults in that version.  Should heartbeats be turned off, or have recent version of OpenSSL taken care of any potential weaknesses there?

> It may also be reasonable to disable "idea", "seed" and "rc2".

We provide config settings to disable ssl3, idea, and seed, though I think it'd probably be safe to drop idea and seed altogether.  I believe heimdal uses rc2, which precludes disabling that one.

Thanks
-spw


More information about the openssl-users mailing list