Currently the OpenSSL "DEFAULT" cipherlist serves two functions:
- Sort the cipherlist to put the strongest, most desirable algorithms
first.
- Exclude ciphers that most applications should not be exposed to.
Applications that don't need/want ciphers outside the "DEFAULT" list
can further restrict the cipher choice with "DEFAULT:!this:!that" ...
Things get more complicated for applications that want to support
anonymous ciphers but still maintain a sensible cipher order:
- With OpenSSL 0.9.7 we have:
#define SSL_DEFAULT_CIPHER_LIST \
"ALL:!ADH:+RC4:@STRENGTH"
- With OpenSSL 0.9.8 we have:
#ifdef OPENSSL_NO_CAMELLIA
# define SSL_DEFAULT_CIPHER_LIST \
"ALL:!ADH:+RC4:@STRENGTH"
#else
# define SSL_DEFAULT_CIPHER_LIST \
"AES:CAMELLIA:-ECCdraft:ALL:!ADH:+RC4:@STRENGTH"
#endif
- With OpenSSL 0.9.9 (dev) we have:
#define SSL_DEFAULT_CIPHER_LIST \
"AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH"
If one wants a correctly ordered cipherlist with anonymous ciphers left
in, one needs to use:
- 0.9.7
ALL:+RC4:@STRENGTH
- 0.9.8 (default build)
"ALL:!ADH:+RC4:@STRENGTH"
- 0.9.8 ( enable-camellia )
"AES:CAMELLIA:ALL:+RC4:@STRENGTH"
removing ECCdraft is not necessary, because these are already
excluded from the "ALL" cipher alias.
- 0.9.9
"AES:CAMELLIA:ALL:+aECDH:+kRSA:+RC4:@STRENGTH"
This volatility from release to release makes it impractical to define
a correctly ordered default cipher list for "aNULL" applications that
survives upgrades in the OpenSSL library with configuration changes in
the application.
Now it is true that the 0.9.9 list can be used with reasonably good
results with 0.9.8 and 0.9.7 resulting in only minor deviations from
the native (DEFAULT with aNULL left in) order for the earlier releases,
the diffence being that ADH precedes kRSA in more cases (which is
desirable).
Still, the "DEFAULT" order is likely to change yet again in future
releases, and it is going to be difficult to play "catchup" with
an ever evolving DEFAULT cipher list.
I am therefore asking the team to consider splitting the two features:
- Sensible default order
- Non-default cipher exclusion
into two parts. The first part (ordering), should I believe be a feature
of the "ALL" cipher_alias:
ALL = preferred:all:+low-pref:@STRENGTH
(preferred = AES:CAMELLIA)
(all = legacy "ALL" cipher list)
(low-pref = +aECDH:+kRSA:+RC4)
an then "DEFAULT" is simply a filter on the already ordered "ALL" list:
DEFAULT = "ALL:!aNULL".
This would allow applications using "ALL" (or legacy ALL:+RC4:@STRENGTH
which would be an equivalent more cumbersome way of getting the same
result) to portably (release to release) arrive at a sensible cipherlist
order.
Comments?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
