Author pitrou
Recipients Arfrever, alex, benjamin.peterson, christian.heimes, dstufft, ezio.melotti, lemburg, ncoghlan, pitrou, r.david.murray, vstinner
Date 2014-03-20.23:33:24
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1395358402.2310.8.camel@fsol>
In-reply-to <1395357913.23.0.581238329438.issue20995@psf.upfronthosting.co.za>
Content
> However I still content that using HIGH in the cipherstring actually
> adds additional maintenance burden. In order to know if that
> cipherstring is still safe you must run it against every target
> OpenSSL you want to make secure to ensure that it doesn't allow a new
> cipher that doesn't meet the security strength that was attempted to
> be had with that cipherstring.

I think that is a bit reverse. The main configuration point for ciphers
should be the server, not the client. We set a cipher string to guide
cipher selection in case the server lets us choose amongst its supported
ciphers, but that's all.

Besides, the ssl module doesn't promise a specific "security strength".
The defaults are a best effort thing, and paranoid people should
probably override the cipher string (and deal with the consequences).
History
Date User Action Args
2014-03-20 23:33:24pitrousetrecipients: + pitrou, lemburg, ncoghlan, vstinner, christian.heimes, benjamin.peterson, ezio.melotti, Arfrever, alex, r.david.murray, dstufft
2014-03-20 23:33:24pitroulinkissue20995 messages
2014-03-20 23:33:24pitroucreate