This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author naif
Recipients gregory.p.smith, jcea, naif, pitrou
Date 2011-12-21.16:59:51
SpamBayes Score 0.00025189936
Marked as misclassified No
Message-id <1324486791.94.0.490262661912.issue13636@psf.upfronthosting.co.za>
In-reply-to
Content 
Well,

with your latest proposal 'HIGH:!aNULL:!eNULL:!SSLv2' :
- MD5 was disabled
- IDEA was disabled
- SEED was disabled

Then we realized that RC4 could be a cipher to be leaved enabled, so the new proposal starting from 'DEFAULT'.

While i don't like RC4 because it's not FIPS-140 compliant (https://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html) i understand that we may want to keep it.

I would suggest by default to keep disabled also CAMELIA and PSK because almost no one use it, they are just into the standard like many ciphers.

Generally speaking, as a concept to define a default we could:
- Start from a FIPS-140 compliant SSL stack
- Open some additional ciphers for compatibility reason (for example RC4-SHA)

What do you think about such approach?

-naif
History
Date User Action Args
2011-12-21 16:59:52naifsetrecipients: + naif, gregory.p.smith, jcea, pitrou
2011-12-21 16:59:51naifsetmessageid: <1324486791.94.0.490262661912.issue13636@psf.upfronthosting.co.za>
2011-12-21 16:59:51naiflinkissue13636 messages
2011-12-21 16:59:51naifcreate