On Tue, Nov 20, 2012, Dr. Stephen Henson wrote: > On Fri, Nov 16, 2012, Rainer Canavan wrote: > > > > > Since openssl is part of a product that we ship, would you consider moving > > RC4-MD5 to the front of the cipher list by default a good idea, or are there > > drawbacks that I overlooked, or would this even be preferred, since RC4 has > > been propagated as a mitigating method for the so called BEAST attack? > > > > Whether BEAST is a problem or not depends on your product. I believe (someone > correct me if I'm wrong) that for BEAST to work an attacker needs to be able > to adaptively inject plaintext which then gets encrypted using the session > parameters. If there is no mechanism to do that in your product you aren't > vulnerable to BEAST at all so using AES in CBC mode is fine. >
Just to clarify that: your description implies your product is an SSL/TLS client which can connect to various servers. Do you need to set SSL_OP_ALL in your product? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
