Message150015
Well,
with your latest proposal 'HIGH:!aNULL:!eNULL:!SSLv2' :
- MD5 was disabled
- IDEA was disabled
- SEED was disabled
Then we realized that RC4 could be a cipher to be leaved enabled, so the new proposal starting from 'DEFAULT'.
While i don't like RC4 because it's not FIPS-140 compliant (https://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html) i understand that we may want to keep it.
I would suggest by default to keep disabled also CAMELIA and PSK because almost no one use it, they are just into the standard like many ciphers.
Generally speaking, as a concept to define a default we could:
- Start from a FIPS-140 compliant SSL stack
- Open some additional ciphers for compatibility reason (for example RC4-SHA)
What do you think about such approach?
-naif |
|
Date |
User |
Action |
Args |
2011-12-21 16:59:52 | naif | set | recipients:
+ naif, gregory.p.smith, jcea, pitrou |
2011-12-21 16:59:51 | naif | set | messageid: <1324486791.94.0.490262661912.issue13636@psf.upfronthosting.co.za> |
2011-12-21 16:59:51 | naif | link | issue13636 messages |
2011-12-21 16:59:51 | naif | create | |
|