Julien Pierre wrote: > I know what code changes are necessary. I'm only a developer on a > couple of NSS applications at this point, not an NSS maintainer. > If this was only about those couple of apps, it wouldn't be an issue. > But there are other apps in Oracle that could be affected. > I can safely say that tracking and modifying every single app that > this binary compatibility change may affect is not going to happen at > Oracle at this point. Many other apps may not have the same kind of > tests we have for ciphers and won't even catch the issue. As NSS gets > distributed as patches to many existing application, binary > compatibility is a requirement.
Generally everybody is trying to maintain binary compatibility by default. But, there are other concerns too, such as compatibility with other implementations, and/or cost of maintenance issues, that may sometimes outweigh any binary compatibility requirement. Regarding the cipher suite changes, I think that overall, more applications will benefit than will be hurt. In fact, although it is probably the case that some Oracle products are "affected," it isn't clear from your message whether the effect is negative or positive. > I agree that they should be, but the decision of the defaults was > always up to the application until now. When an application does not explicitly set the set of enabled cipher suites, and/or it doesn't set a particular SSL option, then IMO it is saying "Let the NSS library decide what is best for me." If that isn't a good policy for an application, then it should set the options explicitly. > Unless the DES ciphers were broken, I don't see the rationale > for this change. These were the not the 3DES ciphers; they were the original, weak, DES ciphers. In 2012 it is not worth analyzing whether DES ciphers are strong enough to keep enabled, because it is clear that they are obsolete, and everybody recommends against their use. But, also, see: http://en.wikipedia.org/wiki/Data_Encryption_Standard#Security_and_cryptanalysis "In 2008 their COPACOBANA RIVYERA reduced the time to break DES to less than one day, using 128 Spartan-3 5000's." Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
