On Mon, Jun 15, 2009 at 5:46 AM, Phil Pennock wrote:
> When RFC 5246 came out, specifying TLS 1.2 and having all mandated
> cipher suites use SHA-256, we assumed that to aid the transition OpenSSL
> would add EVL_sha256() to the list of digests initialised in
> SSL_library_init(), even before supp
On 2009-06-15 at 11:02 +0200, Bodo Moeller wrote:
> On Mon, Jun 15, 2009 at 5:46 AM, Phil Pennock wrote:
>
> > When RFC 5246 came out, specifying TLS 1.2 and having all mandated
> > cipher suites use SHA-256, we assumed that to aid the transition OpenSSL
> > would add EVL_sha256() to the list of d
Phil Pennock wrote:
> The approach of the Exim MTA to cryptography is simple -- don't
> second-guess the SSL library developers when it comes to choosing which
> algorithms/digests/etc to load, and provide a knob
> ("tls_require_ciphers") for administrators to restrict what can be
> loaded. The
On 2009-06-15 at 14:17 -0700, David Schwartz wrote:
> Phil Pennock wrote:
> > The approach of the Exim MTA to cryptography is simple -- don't
> > second-guess the SSL library developers when it comes to choosing which
> > algorithms/digests/etc to load, and provide a knob
> > ("tls_require_ciphers"
Phil Pennock wrote:
> > That just won't work. Cryptography is not a "drop in a library
> > and mark a
> > checkbox on your product" thing. It has to be properly integrated in an
> > application with decisions made as to what the application
> > actually needs,
> > what threat models it faces, an
