> On Feb 12, 2016, at 7:21 PM, Richard Moore <[email protected]> wrote:
>
> Yeah, the apache docs didn't say this for /many/ years and it was rejected
> when I reported it as a security problem. The docs had been correct I believe
> with some older versions of openssl but the more general point is that users
> need a setting that doesn't require expertise, a decoder ring or a secret
> handshake. I think we need to reach a point where DEFAULT is the only
> sensible option for users without extensive expertise and means to ensure
> that they don't make things worse by mistake. HIGH currently is a dangerous
> option.
The problem is too a good degree with Apache. They chose to expose a
raw expert interface to users without exposing a safer alternative.
Postfix uses the same OpenSSL libraries, but does not expect users to
understand the details of OpenSSL cipherlists. Instead a safe
interface is exposed to users, and the underlying cipherlists while
also configurable are documented as "expert" configuration controls
that most users should not touch.
This does not mean that OpenSSL should not also provide additional
safe "for dummies" controls, but in the mean-time applications are
not absolved of the responsibility of providing appropriate interfaces
for their users.
--
Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
