On 10/15/2014 05:37 PM, Daniel Stenberg wrote: > On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote: > >> (e.g. [for OpenSSL] if the system default is always explicitly >> referenced as DEFAULT and we decide that we never want wget to use >> RC4, then DEFAULT:-RC4 is a sensible approach, because it allows >> OpenSSL to update DEFAULT and wget gains those improvements >> automatically) > > I disagree. OpenSSL is but a TLS library that provides functionality - > and it does so rather conservatively in my view. It does not necessarily > set the security standard for what applications should aim for in a good > manner. > > SSL_DEFAULT_CIPHER_LIST for OpenSSL in my debian unstable (== fairly > recent version 1.0.1i) says "ALL:!aNULL:!eNULL:!SSLv2". > > That means it allows EXPORT40, EXPORT56 and LOW for example (if I'm not > missing something), in addition to RC4. Those are terribly weak ciphers. > > OpenSSL ciphers list is at https://www.openssl.org/docs/apps/ciphers.html
I agree that OpenSSL has traditionally been too conservative. I'm arguing that if we're going to set anything other than the default, we should make our changes as *relative* changes rather than specifying something absolute, so that wget can get any improvements that OpenSSL makes to the default without having to rebuild wget itself. --dkg
signature.asc
Description: OpenPGP digital signature