On Wed, Jan 09, 2019 at 03:27:44AM +0000, Jordan Brown wrote: > > Is there a good reason to want to change or freeze them at this time? > > Our products allow the user to enable and disable individual ciphers, to > allow for both customer policy (e.g. a customer-specific approved-cipher > list) and for the possibility that one is found to be vulnerable. They > are "quite safe" today... but what about tomorrow? The ciphersuites in TLS 1.3, are just the symmetric bulk encryption algorithms coupled with a PRF (HKDF). So what you get is AESGCM with SHA2 or CHACHA20 with Poly1305. Breaks in either would be dramatic advances in cryptanalysis. While protocol designs are brittle, and public key algorithms are potentially vulnerable to attack by future universal quantum computers, the basic building blocks of modern symmetric cryptography are looking quite robust for the forseeable future. We're no longer dealing with 1970's or 1980's designs like DES and RC4. Yes, they could perhaps be broken, but there's precious little evidence of that happening any time soon. You could just provide a free-form emergency string parameter that users are advised to not change unless some major advance makes it necessary. At that time, advice can be published as to what the override setting should be. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
