On Wed, Feb 11, 2015 at 06:11:08AM +0000, Viktor Dukhovni wrote:
> I think these definitions should stay the same, but I have no
> objection to disabling RC4 in DEFAULT, or entirely removing
> EXPORT/LOW.
And also MD5 (which subsumes all SSLv2 cipher-suites).
Note that for most applications the correct approach to configuring
ciphersuites should be to start with DEFAULT and subtract what they
don't want. The library is then responsible for a generally sensible
default order and default exclusions.
For example, the below yields a compact list of cipher-suites with
little legacy baggage:
DEFAULT:!EXPORT:!LOW:!MD5:!RC4:!SRP:!PSK:!aDSS:!aDH:!SEED:!IDEA:!kECDHr:!kECDHe
A variant with RC4-SHA as a last resort would be:
DEFAULT:!EXPORT:!LOW:!MD5:!SRP:!PSK:!aDSS:!aDH:!SEED:!IDEA:!kECDHr:!kECDHe:+RC4
--
Viktor.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
