On 08/25/2016 02:37 PM, Yann Ylavic wrote:
I find this CipherSuite quite evolutive and unsurprising (key exchange algorithms don't change or are introduced too often, that's an euphemism :), if a cipher proves to be weak, add it to the :!END and be done (like RC4 and 3DES recently).
To be clear, I'm not arguing that forward-facing cipherstrings don't have advantages. They absolutely do, and I don't disagree with your points.
Contrarywise with the exhaustive list method, if you upgrade e.g. from openssl 1.0 to 1.1 you have to figure out what the new strong ciphers are before adding them (like CHACHA/POLY1305, or CHACHA-GCM with libreSSL, or ..).
(Note that ChaCha/Poly is handled here already. But your point still stands.)
I suspect that it's a matter of preference at this point. Since this is the "strong cipher recommendation", where it is (IMO) more important to ban weak ciphers than to enable the absolute latest and greatest, I'd rather have to do work on an upgrade to expand a whitelist than run the risk of missing an item in a blacklist. But that's just me.
Anyone else feel strongly one way or another? --Jacob --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
