On Wed, Feb 11, 2015 at 03:15:11PM +0000, Salz, Rich wrote: > > Note that for most applications the correct approach to configuring > > ciphersuites should be to start with DEFAULT and subtract what they don't > > want. The library is then responsible for a generally sensible default > > order > > and default exclusions. > > I strongly disagree. Most applications should explicitly list the ciphers > they DO want. That is the only way an application can be sure of what it is > getting, without consulting external parties or configuration. Otherwise, > when the next Crime or Poodle or NameOfTheWeek comes out, you have no idea if > you are vulnerable or not unless you look at something like the OpenSSL > source code. > > For what it's worth, I believe that "security levels" make this problem much > worse.
Our customers during the last SSL exploits were hoping for a global configuration file actually to change cipher preferences. Something that is present in 1.0.2 although I have not checked it deeply yet. Ciao, Marcus _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev