> Note that for most applications the correct approach to configuring
> ciphersuites should be to start with DEFAULT and subtract what they don't
> want. The library is then responsible for a generally sensible default order
> and default exclusions.
I strongly disagree. Most applications should explicitly list the ciphers they
DO want. That is the only way an application can be sure of what it is
getting, without consulting external parties or configuration. Otherwise, when
the next Crime or Poodle or NameOfTheWeek comes out, you have no idea if you
are vulnerable or not unless you look at something like the OpenSSL source code.
For what it's worth, I believe that "security levels" make this problem much
worse.
/r$
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
