On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote:
(e.g. [for OpenSSL] if the system default is always explicitly referenced as DEFAULT and we decide that we never want wget to use RC4, then DEFAULT:-RC4 is a sensible approach, because it allows OpenSSL to update DEFAULT and wget gains those improvements automatically)
I disagree. OpenSSL is but a TLS library that provides functionality - and it does so rather conservatively in my view. It does not necessarily set the security standard for what applications should aim for in a good manner.
SSL_DEFAULT_CIPHER_LIST for OpenSSL in my debian unstable (== fairly recent version 1.0.1i) says "ALL:!aNULL:!eNULL:!SSLv2".
That means it allows EXPORT40, EXPORT56 and LOW for example (if I'm not missing something), in addition to RC4. Those are terribly weak ciphers.
OpenSSL ciphers list is at https://www.openssl.org/docs/apps/ciphers.html -- / daniel.haxx.se
