On Mon, Mar 31, 2014 at 03:39:10PM +0200, Nikos Mavrogiannopoulos wrote:
> > This too feels like intrusive overreach. What problem are you
> > trying to solve?
>
> The goal is to allow the configuration of the security level of
> applications centrally in a system. That is, to not require the
> administrator to configure each and every service to obtain a sane
> security level, to simplify the current best practices [0].
This assumes that there is such a thing as a uniformly applicable
security policy that applies equally to opportunistic use TLS,
mandatory use of unauthenticated TLS, authenticated TLS with modest
security requirements, and transport of highly sensitive data.
> The way I thought of doing it for openssl is via a global cipher string,
> which currently can only set the ciphersuites, but Stephen's changes for
> the security level are really empowering that approach.
Yes, and each application sets the appropriate security level. A
"SYSTEM" cipherlist is not a scalable approach, changing it would
impact too many applications.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
