On Wednesday 11 February 2015 02:00:50 Viktor Dukhovni wrote: > On Wed, Feb 11, 2015 at 12:22:44AM +0000, Salz, Rich wrote: > > RC4 in LOW has a bit of pushback so far. My cover for it is that > > the IETF says "don't use it." So I think saying "if you want it, > > say so" is the way to go. > > By all means, don't use it, but it is not OpenSSL's choice to make > by breaking the meaning of existing interfaces. > > If you put RC4 in LOW, one can no longer exclude LOW ciphers if > one still needs RC4. Nobody uses single-DES, but enough peers > still use (only) RC4 to make disabling of RC4 a choice best made > by applications.
if you upgrade to a new minor version of library and don't check configuration afterwards you're part of the problem example? "ALL:!ADH" and variations of thereof It *IS* the libraries duty to update the policies. Changing policies in the hundreds of applications that use it every time a cipher or protocol is broken is insanity. All the keyword definitions in ciphers(1) use the word "currently". -- Regards, Hubert Kario _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
