Hello Patrick,
> While no longer using RC4 might be a good idea, I'm not certain that OpenSSL
> should /force/ it as long as the cipher is still a valid choice.
Agreed, that's why I wrote it should be an SSL{,_CTX}_set_options()
option, but there are no unused values to do that.
> This seems like a job for SSL_CTX_set_cipher_list
> (http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html). A good server
> would be calling this anyway since (at least according to the docs at
> http://www.openssl.org/docs/apps/ciphers.html) the default cipher list is
> ALL:!aNULL:!eNULL. I could even conceive of turning of RC4 by default, but
> you should probably let people turn it back on if they have it in their
> cipher list.
The main point of this patch is to disable RC4 only for connections
using TLS v1.1+ and keep it around for connections using TLS v1.0 to
protect against the BEAST attack. Currently, there is no way to
specify different cipher suites for different protocols, so yo cannot
achieve that with SSL{,_CTX}_set_cipher_list.
Best regards,
Piotr Sikora
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
