On 5/26/2023 12:47 PM, Michael Wojcik
via openssl-users wrote:
I'm sure people can make reasonable arguments for presenting a combined list to end users, and then programmatically separating that into the two collections.
My hope would be that we wouldn't *need* to separate them, that we could just have one list. But maybe I'm spending more effort attempting to achieve that simplification than it's worth.
Mostly I am not *too* concerned about usability here. I regard this as an escape hatch. 98% of the time the defaults we supply will be fine. 1% of the time it will be necessary to loosen them for interoperability with older equipment. 1% of the time it will be necessary to tighten them to disallow some compromised algorithm, or for some policy reason. These are not personal preference items where users can be expected to select random combinations and expect them to work - my only goal there is that selecting a bad combination must not fail stupidly.
Other than intellectual curiosity as to why a single unified list is a bad idea, I think I've gotten the answer I needed: the fact that the "ciphersuites" functions accept and process TLS 1.2 ciphers is an accident that we should not rely on.
-- Jordan Brown, Oracle
