oss-sec mailing list archives

openssl default ciphers

From: Stefan Bühler <stbuehler () lighttpd net>
Date: Mon, 4 Nov 2013 18:16:30 +0100

Hi,

while working on the lighttpd SNI bug I realized that openssl defaults
to a very bad set of ciphers.

I also couldn't find a sane recommendation from upstream openssl to use
as default, as "DEFAULT" obviously is not a good choice. (I also don't
see any reason why "DEFAULT" includes export and "LOW" ciphers...)

Is 'DEFAULT@STRENGTH:!LOW:!EXP' (should
be similar to 'HIGH:MEDIUM:!aNULL') a reasonably default?

I don't want to enforce PFS or break compatibility on purpose; so I
think the default could be a little bit less "secure" than what I would
actually recommend to use.

So I'm not interested in how to get a super extra secure cipher set
(there are many cipher strings in the wild by various folks for that),
but more in a reasonable lower bound.

regards,
Stefan

Attachment: signature.asc
Description:

Current thread:

openssl default ciphers Stefan Bühler (Nov 04)
- Re: openssl default ciphers Daniel Kahn Gillmor (Nov 04)
- Re: openssl default ciphers Eric H. Christensen (Nov 04)
- Re: openssl default ciphers Hanno Böck (Nov 04)
  - Re: openssl default ciphers Russ Allbery (Nov 04)
  - Re: openssl default ciphers Stefan Bühler (Nov 04)
    - Re: openssl default ciphers Mike (Nov 04)
    - Re: openssl default ciphers Eric H. Christensen (Nov 04)
    - Re: openssl default ciphers leToff (Nov 04)
    - Re: openssl default ciphers Stefan Bühler (Nov 05)
- Re: openssl default ciphers Reed Loden (Nov 04)

(Thread continues...)