On Mon, Mar 31, 2014 at 03:39:10PM +0200, Nikos Mavrogiannopoulos wrote: > > This too feels like intrusive overreach. What problem are you > > trying to solve? > > The goal is to allow the configuration of the security level of > applications centrally in a system. That is, to not require the > administrator to configure each and every service to obtain a sane > security level, to simplify the current best practices [0].
This assumes that there is such a thing as a uniformly applicable security policy that applies equally to opportunistic use TLS, mandatory use of unauthenticated TLS, authenticated TLS with modest security requirements, and transport of highly sensitive data. > The way I thought of doing it for openssl is via a global cipher string, > which currently can only set the ciphersuites, but Stephen's changes for > the security level are really empowering that approach. Yes, and each application sets the appropriate security level. A "SYSTEM" cipherlist is not a scalable approach, changing it would impact too many applications. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org