[openssl-users] FIPS certification for openssl

Salz, Rich rsalz at akamai.com
Thu Nov 30 02:13:14 UTC 2017

> My number one complaint is that it seems like the defaults are generally set up to do the wrong things, and the application has to either explicitly set "yes, you should be secure" options or do stuff on its own.  This seems to have been getting better - gaining hostname validation, for instance - but really a client should be able to say "give me a secure connection to host:port" and have sensible and secure things happen with a single call.  Maybe two, one to create a handle and the other to actually set up the connection (to allow for intervening calls that customize the connection).

I agree with you, but a problem is that “safe and secure” changes over time when new  crypto and other new features are added. And then users get upset when their connections no longer work.

I think the right approach is to be able to specify a policy, then at least you know what you’re signing up for. Right now it’s a collection of low-level things.  And the policy is “SECLEVEL” which ain’t great.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171130/14a96f59/attachment.html>

More information about the openssl-users mailing list