Re: [openssl-dev] Proposed cipher changes for post-1.0.2

Tue, 10 Feb 2015 22:13:14 -0800 

On Wed, Feb 11, 2015 at 03:33:03AM +0000, Salz, Rich wrote:
> 
> > Not all applications are browsers folks, and libraries need to provide 
> > stable
> > interfaces that mirror the application's intent consistent with expected
> > behaviour of existing interfaces.
> 
> Please point to where it is documented what the value of MEDIUM means and 
> what interface is being broken?

The ciphers(1) manpage has set consistent expectations since the
dawn of time (same meaning in 0.9.7, 0.9.8, 1.0.0 and 1.0.1):

       HIGH
           "high" encryption cipher suites. This currently means those with key 
lengths larger than 128 bits, and some
           cipher suites with 128-bit keys.

       MEDIUM
           "medium" encryption cipher suites, currently some of those using 128 
bit encryption.

       LOW "low" encryption cipher suites, currently those using 64 or 56 bit 
encryption algorithms but excluding export
           cipher suites.

       EXP, EXPORT
           export encryption algorithms. Including 40 and 56 bits algorithms.

       EXPORT40
           40 bit export encryption algorithms

       EXPORT56
           56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the 
set of 56 bit export ciphers is empty
           unless OpenSSL has been explicitly configured with support for 
experimental ciphers.

Those "currently's" have meant the same thing for a decade and a
half, the only change being a relaxation of HIGH to include AES128
in 2005 which introduces no interop issues.

    1.0.0 and later:

        commit 61094cf3dc1cc0086f8bcb70f73cc5822a53b2be
        Author: Dr. Stephen Henson <st...@openssl.org>
        Date:   Wed Sep 21 00:55:42 2005 +0000

            128 bit AES ciphersuites should be classified as HIGH.

    0.9.8 backport:

        commit daa657fb78b517ebcddeef09e17e8a20624ac314
        Author: Dr. Stephen Henson <st...@openssl.org>
        Date:   Wed Sep 21 00:57:28 2005 +0000

    0.9.7 backport:

        commit 9f03d028e75c9376b3e4908dc666a8e75e03af61
        Author: Dr. Stephen Henson <st...@openssl.org>
        Date:   Wed Sep 21 00:58:48 2005 +0000

I think these definitions should stay the same, but I have no
objection to disabling RC4 in DEFAULT, or entirely removing
EXPORT/LOW.

-- 
        Viktor.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to