On Tue, Mar 25, 2014 at 05:37:49PM +0100, Tomas Mraz via RT wrote:
> Can OpenSSL developers please at least say what they think about the
> acceptability of the SYSTEM keyword support in the cipher string? I'd
> like to add the support to Fedora openssl package but we would like to
> see it upstreamed sooner or later.
I am not an OpenSSL developer, but it seems to me that system
default cipherlists are not a good idea. Changes in these would
unpredictably change the behaviour of multiple applications, breaking
some while arguably making others more secure.
The OpenSSL "DEFAULT" and "ALL" cipherlists are reasonably stable, and
applications can rely on predictable behaviour from these.
While application cipherlists should be configurable, a single
system-wide default that is subject to change is likely not progress.
What would an O/S distribution do with "SYSTEM" that would make it
better than DEFAULT or ALL?
- Reorder the priority of cipher-suites? When? Why?
- Remove cipher-suites? When? Why?
Or is the idea that "SYSTEM" is modified only by the system-administrator,
and the distributed version is stable and set to "DEFAULT"?
If the intent is to remove compromised cipher-suites, then this should
an exclusion list, a cipherlist. So that one could say:
ALL:!SYSTEM-EXCLUDED
DEFAULT:!SYSTEM-EXCLUDED
ALL:!EXPORT:!LOW:!SYSTEM-EXCLUDED
HIGH+aNULL:HIGH+kEECDH:HIGH+kEDH:HIGH+kRSA:!SYSTEM-EXCLUDED:@STRENGTH
...
Which applications are intended to actually make use of the system-wide
cipherlist file (be it a default list or a set of exclusions)?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
