On Tuesday 16 December 2014 16:18:09 Hanno Böck wrote: > On Tue, 16 Dec 2014 15:42:43 +0100 > > Hubert Kario <hka...@redhat.com> wrote: > > Last time we have discussed it[1], the only voices against were about > > removal of RC4 ciphers from default > > The boringssl patch was quite invasive, so I gave up to try to port > their changes. > > But in essence it's quite trivial, just re-order stuff a bit. See > attached patch. > > > Output after my patch of ALL:COMPLEMENTOFALL: <snip> > To compare, output of plain openssl: <snip>
they don't differ... but comparing that to what Fedora version of openssl outputs, then new order certainly makes things a bit better. there are few issues still - aRSA preferred before aECDSA - AES256 before AES128 in general - few export grade ciphers placed before secure ciphers - 3DES is placed arbitrarily I'd prefer not only change the order, but also say what was the intent and what is the preferred ordering (which keys are used for ordering), so that when new ciphers come, it will be more or less obvious where they should be placed -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev