Issue #7191 has been updated by R.I. Pienaar.
Daniel Pittman wrote: > I would look more favourably at letting the user override > the suite, rather than just the block size, so that if someone > wanted !AES, or !256, or !CBC, they could have it. I did some testing when I first wrote the code and you really want to use AES for performance, dont want to support others that will just make people complain (more). Assuming we rule out silly things like just DES. > Tweaking just parts of that also encourages people to think they know why > this is a good idea, when it usually isn't. :) not sure how letting them tweak everything improves this, it just mean they have to understand even more? Maybe just not understanding what you mean. Eitherway, letting people use ECB with AES and not CBC is actually quite a big change in the code, CBC needs a IV and ECB doesnt etc. That is if we agree using ECB is a good idea at all which I don't believe it is :) Mostly I think we just wont win much by making it too configurable - all you'll end up with is people messing it up and having half a collective that cant talk to another half. Or perpetuating incorrect assumptions that just putting everyting at 'most secure, highest key size and slowest possible cipher' yields a secure result, we have enough of that already. ---------------------------------------- Feature #7191: The AES key size used by M::SSL should be configurable https://projects.puppetlabs.com/issues/7191 Author: R.I. Pienaar Status: Accepted Priority: Normal Assignee: R.I. Pienaar Category: Core Target version: 1.1.5 Keywords: Branch: Affected mCollective version: Currently the SSL class has aes-256-cbc hardcoded, this is the largest keysize and should also be the slowest additionally it will be problematic on JRuby as it requires additional tweaking. Make it support 128, 192 or 256 in the config file. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
