Message214307
> However I still content that using HIGH in the cipherstring actually
> adds additional maintenance burden. In order to know if that
> cipherstring is still safe you must run it against every target
> OpenSSL you want to make secure to ensure that it doesn't allow a new
> cipher that doesn't meet the security strength that was attempted to
> be had with that cipherstring.
I think that is a bit reverse. The main configuration point for ciphers
should be the server, not the client. We set a cipher string to guide
cipher selection in case the server lets us choose amongst its supported
ciphers, but that's all.
Besides, the ssl module doesn't promise a specific "security strength".
The defaults are a best effort thing, and paranoid people should
probably override the cipher string (and deal with the consequences). |
|
Date |
User |
Action |
Args |
2014-03-20 23:33:24 | pitrou | set | recipients:
+ pitrou, lemburg, ncoghlan, vstinner, christian.heimes, benjamin.peterson, ezio.melotti, Arfrever, alex, r.david.murray, dstufft |
2014-03-20 23:33:24 | pitrou | link | issue20995 messages |
2014-03-20 23:33:24 | pitrou | create | |
|