On Tue 2015-02-10 16:15:36 -0500, Salz, Rich wrote: > I would like to make the following changes in the cipher specs, in the master > branch, which is planned for the next release after 1.0.2 > > Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW
yes, please! > Anything that was 40-bit encryption is removed: > /* Cipher 03 "EXP-RC4-MD5" removed */ > /* Cipher 06 "EXP-RC2-CBC-MD5" removed */ > /* Cipher 08 "EXP-DES-CBC-SHA" removed */ > /* Cipher 0B "EXP-DH-DSS-DES-CBC-SHA" removed */ > /* Cipher 0E "EXP-DH-RSA-DES-CBC-SHA" removed */ > /* Cipher 11 "EXP-DHE-DSS-DES-CBC-SHA" removed */ > /* Cipher 14 "EXP-DHE-RSA-DES-CBC-SHA" removed */ > /* Cipher 17 "EXP-ADH-RC4-MD5" removed */ > /* Cipher 19 "EXP-ADH-DES-CBC-SHA" removed */ > /* Cipher 26 "EXP-KRB5-DES-CBC-SHA" removed */ > /* Cipher 27 "EXP-KRB5-RC2-CBC-SHA" removed */ > /* Cipher 28 "EXP-KRB5-RC4-SHA" removed */ > /* Cipher 29 "EXP-KRB5-DES-CBC-MD5" removed */ > /* Cipher 2A "EXP-KRB5-RC2-CBC-MD5" removed */ > /* Cipher 2B "EXP-KRB5-RC4-MD5" removed */ when these are "removed", what will that do to a cipherstring that specifies them by negation? currently, this is an error: 0 dkg@alice:~$ openssl ciphers -v ALL:!NO-SUCH-CIPHER bash: !NO-SUCH-CIPHER: event not found 0 dkg@alice:~$ i wouldn't want ALL:!EXP-DHE-DSS-DES-CBC-SHA to be an error, though. > The value of DEFAULT changes to this: > ALL:!LOW:!EXPORT:!aNULL:!eNULL > > The combination of the first and last changes means that anyone who wants or > needs to use, say RC4 must explicitly say so. This looks good to me. Hanno wrote: > I'd further suggest to move everything that's not PFS&AEAD from HIGH > to MEDIUM. I agree with this as well. It sets the stage for TLS 1.3. Thanks for pushing on this, Rich. --dkg _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev