Currently the OpenSSL "DEFAULT" cipherlist serves two functions:
- Sort the cipherlist to put the strongest, most desirable algorithms first. - Exclude ciphers that most applications should not be exposed to. Applications that don't need/want ciphers outside the "DEFAULT" list can further restrict the cipher choice with "DEFAULT:!this:!that" ... Things get more complicated for applications that want to support anonymous ciphers but still maintain a sensible cipher order: - With OpenSSL 0.9.7 we have: #define SSL_DEFAULT_CIPHER_LIST \ "ALL:!ADH:+RC4:@STRENGTH" - With OpenSSL 0.9.8 we have: #ifdef OPENSSL_NO_CAMELLIA # define SSL_DEFAULT_CIPHER_LIST \ "ALL:!ADH:+RC4:@STRENGTH" #else # define SSL_DEFAULT_CIPHER_LIST \ "AES:CAMELLIA:-ECCdraft:ALL:!ADH:+RC4:@STRENGTH" #endif - With OpenSSL 0.9.9 (dev) we have: #define SSL_DEFAULT_CIPHER_LIST \ "AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH" If one wants a correctly ordered cipherlist with anonymous ciphers left in, one needs to use: - 0.9.7 ALL:+RC4:@STRENGTH - 0.9.8 (default build) "ALL:!ADH:+RC4:@STRENGTH" - 0.9.8 ( enable-camellia ) "AES:CAMELLIA:ALL:+RC4:@STRENGTH" removing ECCdraft is not necessary, because these are already excluded from the "ALL" cipher alias. - 0.9.9 "AES:CAMELLIA:ALL:+aECDH:+kRSA:+RC4:@STRENGTH" This volatility from release to release makes it impractical to define a correctly ordered default cipher list for "aNULL" applications that survives upgrades in the OpenSSL library with configuration changes in the application. Now it is true that the 0.9.9 list can be used with reasonably good results with 0.9.8 and 0.9.7 resulting in only minor deviations from the native (DEFAULT with aNULL left in) order for the earlier releases, the diffence being that ADH precedes kRSA in more cases (which is desirable). Still, the "DEFAULT" order is likely to change yet again in future releases, and it is going to be difficult to play "catchup" with an ever evolving DEFAULT cipher list. I am therefore asking the team to consider splitting the two features: - Sensible default order - Non-default cipher exclusion into two parts. The first part (ordering), should I believe be a feature of the "ALL" cipher_alias: ALL = preferred:all:+low-pref:@STRENGTH (preferred = AES:CAMELLIA) (all = legacy "ALL" cipher list) (low-pref = +aECDH:+kRSA:+RC4) an then "DEFAULT" is simply a filter on the already ordered "ALL" list: DEFAULT = "ALL:!aNULL". This would allow applications using "ALL" (or legacy ALL:+RC4:@STRENGTH which would be an equivalent more cumbersome way of getting the same result) to portably (release to release) arrive at a sensible cipherlist order. Comments? -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]