On Fri, Jul 25, 2008 at 05:10:54PM +0200, Soverini Luca wrote:
> A vulnerability? assesment find a weak cipher list.
> Is possible to disable weak cipher list by command tool openssl?
The cipherlist needs to be adjusted in the relevant applications, not
the openssl(1) command-line tool. The "DEFAULT" cipherlist is compiled
into the library, each application can select a non-default list if
it so chooses.
Don't put blind faith in vulnerability assessments. In many cases a weak
cipher is better than no SSL at all. Is this an application where TLS
is with strong authentication, and protects sensitive data? Is reducing
interoperatbility by trimming the cipher-list justified by the potential
security gains?
Before you consider dropping weak ciphers, it is best to consider drop
SSLv2 support, and using just SSLv3/TLSv1. Only then consider shrinking
the cipher list.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
