Yo Eric! On Sat, 2 Feb 2019 03:06:23 -0500 "Eric S. Raymond" <e...@thyrsus.com> wrote:
> Gary E. Miller via devel <devel@ntpsec.org>:
> > > Would somebody dig me up lists of the cipher names?
> >
> > openssl ciphers -v | fgerp TLS
> >
> > Which is incomplete since Gentoo, like almost all distros, does not
> > implement TLS 1.3. Also incomplete as I have not looked up the AEAD
> > ciphers which are also different.
> >
> > These ciphers are very dynamic. In time, by distro, by install
> > options, and by user configuration. They should not be hard coded
> > We can punt and just feed the lists to OpenSSL and have that tell
> > us which are valid at this exact moment and place.
>
> I think there is the germ of a really good idea in what you just said.
>
> Remember my design rule for GPSD? Never configure what you can
> discover.
For defaults, yes. I thought that was already assumed.
> Can we toss out these cipher config options in favor of a mechanism
> that *discovers* what the available cipher are and does the right
> thing?
No. Required for testing. Required for crypto emergencies. The
history of Apache, nginx, postfix and sendmail show these options
have been essential over the years.
Learn from history, do not repeat its mistakes.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpzCx_WZgjg3.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
