On Thu, Mar 27, 2014, Salz, Rich wrote: > > I am not an OpenSSL developer, but it seems to me that system default > > cipherlists are not a good idea. > > +1 > > I'd rather see the ability to add a new section openssl.cnf, like > [ cipher-profile ] > redhat-recommended = AES256-CGM-SHA384 > > and then you could do things like > -ciphers profile@redhat-recommended:RC4-SHA128 >
Yes I agree. There is an existing method for adding configuration in openssl.cnf for vaious purposes (ENGINE, OIDs, FIPS) and instead of a new configuration file a configuration module could be added instead. It could be extended beyone just cipher strings, for example expressing some SSL_CONF commands which would be used whenever that section is referenced. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
