On Mon, Mar 31, 2014 at 07:36:19PM +0200, [email protected] wrote:
> To me, carefully starting to drop "outdated"/"weak"
> ciphersuites, so "early adopters" can test and provide
> feedback (both asking the communication partner to
> upgrade their software and giving feedback on how
> usable the new policy already is) seems vastly preferable
> to having to do the same "all at once" while being under
> attack.
Sure, that works for security levels more aggressive than the
interoperable default. For now, RC4 should probably remain a low
priority cipher in default configurations. Step 1 is to phase out
server preference for RC4.
I am all for some bleeding-edge clients knowingly field testing
more restrictive configurations.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
