Sorry for the intrusion since I'm no dev.

I am a bit concerned about the implications something like this may bring
to you guys, let me explain.

Openssl aliases were made for something like that (HIGH MEDIUM LOW).
Although we all may agree Aliases are not great, with a little tweaking
someone can get a reasonable secure and compatible ciphersuite settings for
the time being, like HIGH:!PSK:!aNULL:!EXP:!SRP or similar.

The difference between slightly out-dated clients and very old clients can
yield lots of options as the cipher business is something very "granular"
(can't explain it better) and at the end of the day it is the admin of the
site the person who knows/should know which clients it is handling or wants
to handle and the security they need.

After all, Mr. and Ms. Normal are not very normal if they leave their SSL
settings without review for long periods of time.

Would these changes/choices be permanent after different releases of httpd?
If not, what if httpd "choices" settings as commented  at the beginning of
this thread screw the need for a very important client with java 1.crap
which can handle DH just fine but after accepting the ciphert if the
private key is bigger than XXXX it will fail, maybe the Mr. and Ms. Normal
won't be able to figure out since they changed nothing and the thing just
started failing for them?

Maybe stepping on the "site admin's" business in favour of making it easier
for them with new settings can be opening a can of worms, since even if we
may document it quite well, well, we know "Mr. and Ms. Normal" may skeep
reading about that and forget about the implications.

Hope I didn't bring in too much noise.


*Daniel Ferradal*

Reply via email to