RE: Value of DEFAULT cipher suite

Tue, 09 Sep 2014 09:27:09 -0700 

> From: [email protected] [mailto:owner-openssl-
> [email protected]] On Behalf Of Salz, Rich
> Sent: Tuesday, 09 September, 2014 11:35
> To: [email protected]
> Subject: RE: Value of DEFAULT cipher suite
> 
> > Far more productive than disabling RC4 would be ensuring that it is not the
> > preferred cipher suite when better options are enabled.
> 
> I am not disabling RC4.  I am saying that applications that want to use it
> will, after the post-1.0.2 release is adopted, need to take pro-active
> action.

Which is tantamount to disabling it, for any applications that:

- Link OpenSSL dynamically and don't set a non-default cipher suite list
- Are rebuilt with the new OpenSSL but aren't changed to set a non-default 
cipher suite list

You're talking about violating the Principle of Least Surprise, which is rarely 
a good idea.

> This follows the current thinking of the IETF.

Glossing "what's currently in an I-D" as "the current thinking of the IETF" is 
quite a stretch.

And UTA applies to *applications*, not to libraries.

And personally I think UTA is somewhat misguided, particularly in its excessive 
use of RFC 2119 conditional-compliance ("MUST") requirements in sections that 
the text refers to as "recommendations"; and I'm not convinced the authors have 
done a good job of considering the ramifications.

As for the PRC4 I-D: It too applies to applications; and unless OpenSSL is 
going to enforce the final requirement of part 2 ("the TLS server MUST 
terminate the handshake"), I can't see how you can claim your proposed change 
is "following" the I-D. Without that final requirement, the other two are 
potentially more dangerous than allowing RC4.

> It's just being standards-compliant.

Which standard are we talking about? In your other message you cited to I-Ds, 
which are NOT standards.

-- 
Michael Wojcik
Technology Specialist, Micro Focus




This message has been scanned for malware by Websense. www.websense.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to