On Thursday, 19 July 2018 00:12:55 CEST Michael Wojcik wrote: > > From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf > > Of Ryan Beethe > > Sent: Wednesday, July 18, 2018 14:25 > > > > For a safe client application, should you explicitly set the cipher list > > explicitly, rather than trust the default cipher list that comes from > > the package manager's libssl? > > I don't think there's a definitive answer. It will depend on how well that > OpenSSL package is maintained and how often the system administrator (who > may just be Joe End User) updates it, the criteria used by the developer to > set the cipher list, and so on. > > That said, I'll always prefer software that has a configurable cipher list > with a decent default. If the software uses an OpenSSL provided by the OS > manufacturer or some third party, and that OpenSSL comes with its own > default cipher suite list, as in the Fedora case, then making the > application's default "use the OpenSSL package's default" might well be > acceptable. But as I user and system administrator, I always want the > freedom to override it. and the idea of providing that was exactly to allow this, as not all applications provide necessary configuration options, so without the system policy you have no way of overriding openssl defaults at all yes, it's system-wide, but applications are explicitly allowed to override the policy, and if you really need to communicate with old software or hardware, there is LEGACY policy provided for this > The OpenSSL-consuming software I work on all uses our own OpenSSL builds - > we don't use the OS-supplied one, if there is one - so this isn't an issue > I have to deal with professionally. But we do make the cipher-suite list > configurable, with a default that tries to strike a reasonable compromise > between strength and compatibility. yes, for people that manage this stuff themselves, and spend a lot of time thinking and making decisions about their TLS settings, regularly updating it, this may feel intrusive but please remember, this is not the typical user behaviour -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
