On Tue, May 14, 2013 at 09:42:08PM -0500, Salz, Rich wrote: > Viktor gave some excellent advice. I'd tweak it by removing > 'export' as something to support. And perhaps use weak, good, > strong -- whatever, keep the number of choices very small. I'd > suggest to not use "default" since folks will get upset if it > changes. They are more accepting if the definition of 'strong > cipher' changes with time. It's curious, but it's the way humans > seem to work.
The reason Postfix supports "export" is because it supports an opportunistic TLS mode, where we fall back to plain-text if the remote server does not offer TLS, or the handshake fails. So the "export" grade is default for opportunistic connections, since even "export" is somewhat better than plain-text. With mandatory TLS destinations the default cipher grade is "medium". The actual design has to match the constraints and requirements of the particular application as well as usability considerations. > The openssl cipher spec is pretty darn subtle and it is far too > easy to get wrong. Excellent one sentence summary. -- VIktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org