I think this is a great idea, but that it is way too late for this release. We
really should be concentrating on testing and fixes, and open PR's and other
release criteria. Ideally the release goes out in a month (IETF RFC editor
willing)
___
I'd like to draw everyone's attention to PR #5969
Given CVE-2018-0737, and the fact that this is far from the first time
this has happened I think we should change the default so that we always
use the constant time implementation unless specifically flagged
otherwise. E.g see these issues:
2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
The fix was developed by Billy Brumley.
References
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20180416.txt
Note: the online version of the advisory may
> On Apr 16, 2018, at 6:00 AM, Matt Caswell wrote:
>
> That's not entirely true. This works:
>
> $ openssl s_server -cert dsacert.pem -key dsakey.pem -cipher ALL:@SECLEVEL=0
> $ openssl s_client -no_tls1_3 -cipher ALL@SECLEVEL=0
>
> This doesn't:
>
> $ openssl s_server