On Thu, Mar 03, 2016 at 08:13:36AM -0500, Wall, Stephen wrote: > > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On > > Behalf Of Viktor Dukhovni > > > > By and large what should be off by default eventually or already > > is, but there can be some delay for backwards compatibility. > ... > > With these you're covered for no-ssl2 no-comp and no weak ciphers. > > We are using 1.0.2f, no-ssl2 and no-comp do not appear to be defaults in > that version. Should heartbeats be turned off, or have recent version of > OpenSSL taken care of any potential weaknesses there? Yes, you do need to disable "ssl2" in releases prior to 1.0.1s and 1.0.2g. Note that "no-comp" is a consequence of "zlib" and "zlib-dynamic" not being enabled. You have to choose to turn compression on IIRC by enabling one of these. -- Viktor.
