> Offhand, I'm not aware of other OSes that distribute implementations > of OpenSSL that require platform-specific cipher-list settings. Ok, that is very helpful to know > This strikes me as a Really Bad Idea on the part of the Fedora > developers While it is a pain to have to have to have a Fedora-specific patch, I am not sure I understand why this is a bad idea? (Server applications like Apache do not fall under that guideline.) As a consumer of applications that use OpenSSL, I think I would prefer that an up-to-date list of acceptable ciphers is kept by the same folks who keep my libssl.so up-to-date, rather than depending on the developer of each individual application to keep their code in step with current security news. > I recommend Ivan Ristic's /Bulletproof TLS/ e-book I have been meaning to buy this book for a long time, so I finally did. Skimming through it, it looks excellent. I will also take another look at Mozilla's list (as mentioned by Daurnimator), and compare it to the suggestions in "Bulletproof TLS". I have been using the Mozilla list for server-side things, so I suppose it make sense to use it on the client side as well. But I still have one question, which I don't see answered explicitly anywhere: For a safe client application, should you explicitly set the cipher list explicitly, rather than trust the default cipher list that comes from the package manager's libssl? (obviously this question would not apply to operating systems which which don't distribute OpenSSL, or to Fedora) Thanks, Ryan -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
