----- Original Message ----- > From: "Matt Caswell via RT" <r...@openssl.org> > To: hka...@redhat.com > Cc: openssl-dev@openssl.org > Sent: Saturday, May 31, 2014 12:42:56 AM > Subject: [openssl.org #3363] Patch to fix bad example in ciphers(1) man page > > Hi Hubert > > The title for this request is slightly misleading as this was actually 3 > commits only one of which was regards to an example in ciphers(1).
Sorry, I first prepared the email and then made the push. > Taking the 3 commits in turn: > > fix example with DH cipher suites: > I don't agree that the man page implies anything about anonymous ECDH when it > talks about anonymous DH. To me this example is clear and therefore I have > not > applied this commit. There are many examples on the Internet that recommend using "HIGH:!ADH" or similar for cipher suite configuration, without noting that it only works correctly with old openssl. When I scanned Alexa top 1 million domains, I found that over 6% of SSL-enabled servers support AECDH suites, while only around 0.5% support ADH suites. If I disregard servers that have misconfigured, expired, self signed, etc. certificates this falls down only to 2.6% and 0.4% respectively. That's why I think it is confusing for users and should be changed. If you still are unconvinced, would you be willing to accept a patch with additional example that basically says, "to disable all unauthenticated cipher suites (ADH and AECDH), do this"? > add description of -attime to man page: > I have applied this commit. However I note that this is only one of quite a > number of parameters that are missing from verify.pod. It would be great if > you > could provide some more documentation of these!! ;-) I know, I'm just warming up ;) -- Regards, Hubert Kario ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
