Re: [PATCH] Fix smime_encrypt_with documentation

Tue, 03 Feb 2015 15:05:53 -0800 

David Champion wrote:
> So yes, let's push aes256 as default unless someone gives a compelling
> case for not doing so.

Alright, I'm attaching the patch which updates the default in init.h as
well as contrib/smime.rc.  I'll give a few days for comments before I
push it.

Thanks Brendan and David (and Michael!)

-Kevin

# HG changeset patch
# User Kevin McCarthy <[email protected]>
# Date 1423004387 28800
#      Tue Feb 03 14:59:47 2015 -0800
# Node ID a96bb26dd991be40b456638531d6a4699f51f22e
# Parent  1235dd48ef3f87480d62996a216eeca4e09e5e8a
Change the smime_encrypt_with default to aes256.

Openssl supports -aes256 at least since 2004, and it's a stronger
algorithm than des3.

Also:
- Remove the incorrect documentation comment about defaulting to 3des if unset.
- Change the default set in the contrib/smime.rc.

diff --git a/contrib/smime.rc b/contrib/smime.rc
--- a/contrib/smime.rc
+++ b/contrib/smime.rc
@@ -55,17 +55,17 @@
 set smime_import_cert_command="smime_keys add_cert %f"
 
 
 
 # Sction B: Outgoing messages
 
 # Algorithm to use for encryption.
 # valid choices are aes128, aes192, aes256, rc2-40, rc2-64, rc2-128, des, des3
-set smime_encrypt_with="des3"
+set smime_encrypt_with="aes256"
 
 # Encrypt a message. Input file is a MIME entity.
 set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c"
 
 # Sign.
 set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin 
-in %f -certfile %i -outform DER"
 
 
diff --git a/init.h b/init.h
--- a/init.h
+++ b/init.h
@@ -2682,22 +2682,21 @@
   /*
   ** .pp
   ** This command is used to create encrypted S/MIME messages.
   ** .pp
   ** This is a format string, see the $$smime_decrypt_command command for
   ** possible \fCprintf(3)\fP-like sequences.
   ** (S/MIME only)
   */
-  { "smime_encrypt_with",      DT_STR,  R_NONE, UL &SmimeCryptAlg, 0 },
+  { "smime_encrypt_with",      DT_STR,  R_NONE, UL &SmimeCryptAlg, UL "aes256" 
},
   /*
   ** .pp
   ** This sets the algorithm that should be used for encryption.
   ** Valid choices are ``aes128'', ``aes192'', ``aes256'', ``des'', ``des3'', 
``rc2-40'', ``rc2-64'', ``rc2-128''.
-  ** If \fIunset\fP, ``3des'' (TripleDES) is used.
   ** (S/MIME only)
   */
   { "smime_get_cert_command",  DT_STR, R_NONE, UL &SmimeGetCertCommand, 0},
   /*
   ** .pp
   ** This command is used to extract X509 certificates from a PKCS7 structure.
   ** .pp
   ** This is a format string, see the $$smime_decrypt_command command for

Attachment: signature.asc
Description: PGP signature

Reply via email to