[openssl-users] [Question] What are the current secure Configure Parameter?

Wall, Stephen swall at redcom.com
Thu Mar 10 13:49:17 UTC 2016


> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Oliver Niebuhr
> 
> The Qt Wiki says, the following Parameters are minimum recommended:
> no-ssl2 no-ssl3 no-idea no-mdc2 no-rc5
> 
> My Questions are:
> 1.) Are there any other Parameters that should be used?

I also add no-comp -DOPENSSL_NO_HEARTBEAT no-md2.

no-md2 might be a default.

Check Configure Options at https://wiki.openssl.org/index.php/Compilation_and_Installation for some other things you might not need, like no-srp no-psk no-dtls no-npn no-krb5 etc.  If this is a dedicated library for your application, I suggest you disable all features and ciphers you won't be using, for example, no-bf no-sha1 no-md5 no-seed etc....

If you control both ends, you could even distill it down to a single protocol cipher suite, like ECDHE-ECDSA-AES128-GCM-SHA256 with TLS1.2.


More information about the openssl-users mailing list