On 5/15/2013 5:26 PM, Viktor Dukhovni wrote:
On Wed, May 15, 2013 at 01:07:23PM +0200, Jakob Bohm wrote:
If the underlying choices need to be configurable, that should
generally not be via the UI, rather via a configuration file of
some sort.
This assumes your users are normal users, not SSL protocol testers
who want fine-grained control and understand OpenSSL ciphers in
detail.
As a knowledgeable user, I despise user interfaces like that, and tend
to recommend against such products even for novices.
You seem to have neglected the configurability of the underlying
choices. That's done by experts, such you, Rich or myself (if I
may be so bold).
In Postfix users can when they need to do so adjust the underlying
the cipherlist specs, but they almost never need to do that, and
asking them to do so when they simply want a knob to tune the
minimum strength (or choose an appropriate profile) would be a
disservice.
Your previous posts were written as if they advocated no such
configurability, which is what I was opposing.
OpenSSL cipherlists are not for novices.
The OpenSSL cipherlist language is highly unstable and not very
usable in practice. Typically the admin will have to experiment
with the "openssl cipher" command of the exact library patch level
involved in order to determine what strings will have what effect.
Which is why I described a better user interface and how to implement
it using OpenSSL cipher list APIs internally. My proposed interface
would contain the big knob (which maps to whatever the OpenSSL
cipher list logic maps "HIGH, MEDIUM, LOW" etc. to on any given day)
and a meaningful fine tuning user interface. Just like on some old
radio receivers where there were buttons for the favorite programs
which would cause the big tuning scale to jump to the chosen location
while still letting people fiddle the dial to fine tune reception or
tune to a rarely used station which happens to broadcast tonight's
big event.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
