[openssl-users] FIPS certification for openssl

Jordan Brown openssl at jordan.maileater.net
Thu Nov 30 05:34:10 UTC 2017


On 11/29/2017 6:13 PM, Salz, Rich via openssl-users wrote:
> I agree with you, but a problem is that “safe and secure” changes over
> time when new  crypto and other new features are added. And then users
> get upset when their connections no longer work.

Agreed, that's a tough trade-off.

Still, I'd rather have compatibility problems - as long as there's a way
to explicitly request the less-secure option - than silently be insecure.

Having per-user or system-wide configuration files that are consulted
under the covers would help, since then the user could revert to
less-secure settings without needing the application source.  Maybe have
the "create handle" function take an application name as an argument, so
that individual applications could be managed separately.

Looking at it another way:  browsers manage to do it...

-- 
Jordan Brown, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171129/23e98a73/attachment.html>


More information about the openssl-users mailing list