On 16 August 2014 19:50, Dominyk Tiller <dominyktil...@gmail.com> wrote: > Ah! That's where my confusion lies, I'm getting myself tied up between > development & stable. Thanks for the clarity on that. > > Homebrew is currently on 1.0.1i stable. These are the ssl2 ciphers active: > > "/usr/local/cellar/openssl/*/bin/openssl ciphers -ssl2 > IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5" > > Is that a security concern? Would there be any active consequences to > turning off those remaining -ssl2 ciphers? I tested the change with > pretty much every dependent formula that ships from Homebrew and > didn't encounter any issues. Would we gain any appreciable security by > knocking out those last few ssl2 ciphers?
Err, yes. Almost all of them are weak and some are _very_ weak. > > Cheers, > > Dom > > > On 16 August 2014 18:05, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: >> >> On Sat, Aug 16, 2014 at 07:45:43AM +0100, Dominyk Tiller wrote: >> >> > I'm pretty sure I read somewhere in the OpenSSL documentation that the >> > recommended default level for compile is level 1, which kills the ssl2 >> > option, but effectively Homebrew has been building with level 0 >> > default thus far. >> >> SSLv2 is off by default (excluded by the DEFAULT cipherlist), even >> without disabling support for it at compile time. >> >> Security levels are only on the master development branch of OpenSSL, >> which has not been officially released. Homebrew users should be >> using 1.0.1 or soon 1.0.2 after than is released. >> >> So security levels, whose design IMHO is not yet entirely done, >> should not be in the picture at this time. >> >> > Did I completely hallucinate the documentation recommendation of >> > default level 1 security or is that actually somewhere? >> >> You may be confusing the master branch with stable releases. >> >> -- >> Viktor. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
