[openssl-users] Appropriate use of SSL_CTX_set_cipher_list()

Hubert Kario hkario at redhat.com
Fri Aug 3 13:51:16 UTC 2018

On Thursday, 19 July 2018 00:12:55 CEST Michael Wojcik wrote:
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> > Of Ryan Beethe
> > Sent: Wednesday, July 18, 2018 14:25
> > 
> > For a safe client application, should you explicitly set the cipher list
> > explicitly, rather than trust the default cipher list that comes from
> > the package manager's libssl?
> I don't think there's a definitive answer. It will depend on how well that
> OpenSSL package is maintained and how often the system administrator (who
> may just be Joe End User) updates it, the criteria used by the developer to
> set the cipher list, and so on.
> That said, I'll always prefer software that has a configurable cipher list
> with a decent default. If the software uses an OpenSSL provided by the OS
> manufacturer or some third party, and that OpenSSL comes with its own
> default cipher suite list, as in the Fedora case, then making the
> application's default "use the OpenSSL package's default" might well be
> acceptable. But as I user and system administrator, I always want the
> freedom to override it.

and the idea of providing that was exactly to allow this, as not all 
applications provide necessary configuration options, so without the system 
policy you have no way of overriding openssl defaults at all

yes, it's system-wide, but applications are explicitly allowed to override the 
policy, and if you really need to communicate with old software or hardware, 
there is LEGACY policy provided for this

> The OpenSSL-consuming software I work on all uses our own OpenSSL builds -
> we don't use the OS-supplied one, if there is one - so this isn't an issue
> I have to deal with professionally. But we do make the cipher-suite list
> configurable, with a default that tries to strike a reasonable compromise
> between strength and compatibility.

yes, for people that manage this stuff themselves, and spend a lot of time 
thinking and making decisions about their TLS settings, regularly updating it, 
this may feel intrusive

but please remember, this is not the typical user behaviour

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180803/5d445933/attachment.sig>

More information about the openssl-users mailing list