On Thursday 04 December 2014 14:07:52 Brandon Vincent wrote: > On Thu, Dec 4, 2014 at 11:53 AM, Eric H. Christensen > > <sparks@xxxxxxxxxxxxxxxxx> wrote: > > There will always be a default and that default should be something sane > > that both provides protection and compatibility. The current default > > leaves something to be desired with respect to security. Using the > > recommendations provided by Mozilla you get both in a balanced way. I > > could see the three recommended cipher suites lists being used as a low, > > default, and high security ratings within the CryptoPolicy. > I'm not a fan of specifying individual cipher suites. > > OpenSSL accepts a wide variety of formats in regards to setting the > cipher preference. Specifying individual components such as the digest > or algorithm is cleaner in my opinion. It just looks cleaner, but actually isn't. We already had this kind of problem: old apache config file specified !ADH to disable the anonymous cipher suites. Now, what happens when you update openssl to support also ECDHE, which brings AECDH with it? You guessed it: apache now will happily negotiate anonymous cipher suites! with a static list of ciphers there's no chance you'll get a surprise after updating components (because the order changed or new ciphers were added). at the same time, you should check (and update as needed) your TLS server configs at least every time you change your certificates anyway. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
