Ah! That's where my confusion lies, I'm getting myself tied up between development & stable. Thanks for the clarity on that.
Homebrew is currently on 1.0.1i stable. These are the ssl2 ciphers active: "/usr/local/cellar/openssl/*/bin/openssl ciphers -ssl2 IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5" Is that a security concern? Would there be any active consequences to turning off those remaining -ssl2 ciphers? I tested the change with pretty much every dependent formula that ships from Homebrew and didn't encounter any issues. Would we gain any appreciable security by knocking out those last few ssl2 ciphers? Cheers, Dom On 16 August 2014 18:05, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > On Sat, Aug 16, 2014 at 07:45:43AM +0100, Dominyk Tiller wrote: > > > I'm pretty sure I read somewhere in the OpenSSL documentation that the > > recommended default level for compile is level 1, which kills the ssl2 > > option, but effectively Homebrew has been building with level 0 > > default thus far. > > SSLv2 is off by default (excluded by the DEFAULT cipherlist), even > without disabling support for it at compile time. > > Security levels are only on the master development branch of OpenSSL, > which has not been officially released. Homebrew users should be > using 1.0.1 or soon 1.0.2 after than is released. > > So security levels, whose design IMHO is not yet entirely done, > should not be in the picture at this time. > > > Did I completely hallucinate the documentation recommendation of > > default level 1 security or is that actually somewhere? > > You may be confusing the master branch with stable releases. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >
