|
| From: | Thomas Chust |
| Subject: | [Chicken-users] OpenSSL egg option defaults poll |
| Date: | Thu, 16 Oct 2014 00:39:59 +0200 (CEST) |
| User-agent: | Alpine 2.03 (LNX 1266 2009-07-14) |
Hello,Mario Domenech Goulart raised the issue that the OpenSSL egg by default creates connections that can use any of the SSLv2, SSLv3 or TLSv1.x protocols, depending on the capabilities of the remote peer.
This default is not particularly secure, especially when considering the recently published exploits for the obsolete SSLv3 protocol.
Changing the default behaviour of the OpenSSL egg to TLS protocol only would prevent any real or potential issues with the legacy protocols. However, many SSL implementations apparently use SSLv2 handshakes with extensions for the sake of compatibility and with the changed default the OpenSSL egg would probably reject many valid connection attempts as a server and not be able to connect to some old servers as a client.
Other standard settings for the OpenSSL egg also err on the side of compatibility rather than security. For example, certificate verification is not enabled by default and the set of acceptable stream ciphers cannot even be modified, which is probably a bad idea for any serious security critical application.
So I would like to poll for opinions from people on this list concerning this situation. Do you think the default options in the OpenSSL egg should be "hardened"? Do you think more options should be introduced? Is compatibility with the rest of the internet a concern at all? ;-)
Ciao, Thomas -- When C++ is your hammer, every problem looks like your thumb.
| [Prev in Thread] | Current Thread | [Next in Thread] |