[openssl-users] Appropriate use of SSL_CTX_set_cipher_list()
hkario at redhat.com
Fri Aug 3 13:51:16 UTC 2018
On Thursday, 19 July 2018 00:12:55 CEST Michael Wojcik wrote:
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> > Of Ryan Beethe
> > Sent: Wednesday, July 18, 2018 14:25
> > For a safe client application, should you explicitly set the cipher list
> > explicitly, rather than trust the default cipher list that comes from
> > the package manager's libssl?
> I don't think there's a definitive answer. It will depend on how well that
> OpenSSL package is maintained and how often the system administrator (who
> may just be Joe End User) updates it, the criteria used by the developer to
> set the cipher list, and so on.
> That said, I'll always prefer software that has a configurable cipher list
> with a decent default. If the software uses an OpenSSL provided by the OS
> manufacturer or some third party, and that OpenSSL comes with its own
> default cipher suite list, as in the Fedora case, then making the
> application's default "use the OpenSSL package's default" might well be
> acceptable. But as I user and system administrator, I always want the
> freedom to override it.
and the idea of providing that was exactly to allow this, as not all
applications provide necessary configuration options, so without the system
policy you have no way of overriding openssl defaults at all
yes, it's system-wide, but applications are explicitly allowed to override the
policy, and if you really need to communicate with old software or hardware,
there is LEGACY policy provided for this
> The OpenSSL-consuming software I work on all uses our own OpenSSL builds -
> we don't use the OS-supplied one, if there is one - so this isn't an issue
> I have to deal with professionally. But we do make the cipher-suite list
> configurable, with a default that tries to strike a reasonable compromise
> between strength and compatibility.
yes, for people that manage this stuff themselves, and spend a lot of time
thinking and making decisions about their TLS settings, regularly updating it,
this may feel intrusive
but please remember, this is not the typical user behaviour
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the openssl-users