> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On > Behalf Of Viktor Dukhovni > > By and large what should be off by default eventually or already > is, but there can be some delay for backwards compatibility. ... > With these you're covered for no-ssl2 no-comp and no weak ciphers. We are using 1.0.2f, no-ssl2 and no-comp do not appear to be defaults in that version. Should heartbeats be turned off, or have recent version of OpenSSL taken care of any potential weaknesses there? > It may also be reasonable to disable "idea", "seed" and "rc2". We provide config settings to disable ssl3, idea, and seed, though I think it'd probably be safe to drop idea and seed altogether. I believe heimdal uses rc2, which precludes disabling that one. Thanks -spw
