OpenSSL egg option defaults poll
Thomas Chust <chust <at> web.de>
2014-10-15 22:39:59 GMT
Mario Domenech Goulart raised the issue that the OpenSSL egg by default
creates connections that can use any of the SSLv2, SSLv3 or TLSv1.x
protocols, depending on the capabilities of the remote peer.
This default is not particularly secure, especially when considering the
recently published exploits for the obsolete SSLv3 protocol.
Changing the default behaviour of the OpenSSL egg to TLS protocol only
would prevent any real or potential issues with the legacy protocols.
However, many SSL implementations apparently use SSLv2 handshakes with
extensions for the sake of compatibility and with the changed default the
OpenSSL egg would probably reject many valid connection attempts as a
server and not be able to connect to some old servers as a client.
Other standard settings for the OpenSSL egg also err on the side of
compatibility rather than security. For example, certificate verification
is not enabled by default and the set of acceptable stream ciphers cannot
even be modified, which is probably a bad idea for any serious security
So I would like to poll for opinions from people on this list concerning
this situation. Do you think the default options in the OpenSSL egg should
be "hardened"? Do you think more options should be introduced? Is
compatibility with the rest of the internet a concern at all?
When C++ is your hammer, every problem looks like your thumb.