[openssl-users] Appropriate use of SSL_CTX_set_cipher_list()

Ryan Beethe ryan at splintermail.com
Wed Jul 18 20:24:31 UTC 2018

> Offhand, I'm not aware of other OSes that distribute implementations
> of OpenSSL that require platform-specific cipher-list settings.

Ok, that is very helpful to know

> This strikes me as a Really Bad Idea on the part of the Fedora
> developers

While it is a pain to have to have to have a Fedora-specific patch, I am
not sure I understand why this is a bad idea? (Server applications like
Apache do not fall under that guideline.)  As a consumer of applications
that use OpenSSL, I think I would prefer that an up-to-date list of
acceptable ciphers is kept by the same folks who keep my libssl.so
up-to-date, rather than depending on the developer of each individual
application to keep their code in step with current security news.

> I recommend Ivan Ristic's /Bulletproof TLS/ e-book

I have been meaning to buy this book for a long time, so I finally did.
Skimming through it, it looks excellent.

I will also take another look at Mozilla's list (as mentioned by
Daurnimator), and compare it to the suggestions in "Bulletproof TLS".  I
have been using the Mozilla list for server-side things, so I suppose it
make sense to use it on the client side as well.

But I still have one question, which I don't see answered explicitly

For a safe client application, should you explicitly set the cipher list
explicitly, rather than trust the default cipher list that comes from
the package manager's libssl?

(obviously this question would not apply to operating systems which
which don't distribute OpenSSL, or to Fedora)


More information about the openssl-users mailing list