On Tuesday 10 February 2015 21:15:36 Salz, Rich wrote: > I would like to make the following changes in the cipher specs, in the > master branch, which is planned for the next release after 1.0.2 > > Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW > > Anything that was 40-bit encryption is removed: > /* Cipher 03 "EXP-RC4-MD5" removed */ > /* Cipher 06 "EXP-RC2-CBC-MD5" removed */ > /* Cipher 08 "EXP-DES-CBC-SHA" removed */ > /* Cipher 0B "EXP-DH-DSS-DES-CBC-SHA" removed */ > /* Cipher 0E "EXP-DH-RSA-DES-CBC-SHA" removed */ > /* Cipher 11 "EXP-DHE-DSS-DES-CBC-SHA" removed */ > /* Cipher 14 "EXP-DHE-RSA-DES-CBC-SHA" removed */ > /* Cipher 17 "EXP-ADH-RC4-MD5" removed */ > /* Cipher 19 "EXP-ADH-DES-CBC-SHA" removed */ > /* Cipher 26 "EXP-KRB5-DES-CBC-SHA" removed */ > /* Cipher 27 "EXP-KRB5-RC2-CBC-SHA" removed */ > /* Cipher 28 "EXP-KRB5-RC4-SHA" removed */ > /* Cipher 29 "EXP-KRB5-DES-CBC-MD5" removed */ > /* Cipher 2A "EXP-KRB5-RC2-CBC-MD5" removed */ > /* Cipher 2B "EXP-KRB5-RC4-MD5" removed */ > > The value of DEFAULT changes to this: > ALL:!LOW:!EXPORT:!aNULL:!eNULL > > The combination of the first and last changes means that anyone who wants or > needs to use, say RC4 must explicitly say so. > > Comments?
Maybe we should also move 3DES to MEDIUM? Given that this is effectively a 112 bit cipher... Also, what about changing order so that 128bit+ AEAD and PFS are preferred over other ciphers (including 256 bit ones)? -- Regards, Hubert Kario _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
