[openssl-users] recommended build options

Viktor Dukhovni openssl-users at dukhovni.org
Thu Mar 3 18:49:59 UTC 2016


On Thu, Mar 03, 2016 at 08:13:36AM -0500, Wall, Stephen wrote:

> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> > Behalf Of Viktor Dukhovni
> > 
> > By and large what should be off by default eventually or already
> > is, but there can be some delay for backwards compatibility.
> ...
> > With these you're covered for no-ssl2 no-comp and no weak ciphers.
> 
> We are using 1.0.2f, no-ssl2 and no-comp do not appear to be defaults in
> that version.  Should heartbeats be turned off, or have recent version of
> OpenSSL taken care of any potential weaknesses there?

Yes, you do need to disable "ssl2" in releases prior to 1.0.1s
and 1.0.2g.

Note that "no-comp" is a consequence of "zlib" and "zlib-dynamic"
not being enabled.  You have to choose to turn compression on IIRC
by enabling one of these.

-- 
	Viktor.


More information about the openssl-users mailing list