[openssl-users] Appropriate use of SSL_CTX_set_cipher_list()

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Ryan Beethe
> Sent: Wednesday, July 18, 2018 14:25
>
> For a safe client application, should you explicitly set the cipher list
> explicitly, rather than trust the default cipher list that comes from
> the package manager's libssl?

I don't think there's a definitive answer. It will depend on how well that OpenSSL package is maintained and how often the system administrator (who may just be Joe End User) updates it, the criteria used by the developer to set the cipher list, and so on.

That said, I'll always prefer software that has a configurable cipher list with a decent default. If the software uses an OpenSSL provided by the OS manufacturer or some third party, and that OpenSSL comes with its own default cipher suite list, as in the Fedora case, then making the application's default "use the OpenSSL package's default" might well be acceptable. But as I user and system administrator, I always want the freedom to override it.

The OpenSSL-consuming software I work on all uses our own OpenSSL builds - we don't use the OS-supplied one, if there is one - so this isn't an issue I have to deal with professionally. But we do make the cipher-suite list configurable, with a default that tries to strike a reasonable compromise between strength and compatibility.

--
Michael Wojcik
Distinguished Engineer, Micro Focus