< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] Question about last CipherList changes (StrongestSuite and ExportableSuite)



On 29/05/15 12:04, Dario Bozzali wrote:

> 
> I noticed that StrongestSuite and ExportableSuite ChiperLists have been
> changed in last revision and that default value for ChiperList in
> BaseSecurity is now StrongestSuite instead of ExportableSuite.
> 
>  
> 
> Could someone help me? Did someone execute similar tests using TLS with
> the last revision of reSIProcate library?
> 


The fundamental problem here is that:

a) when you specify ExportableSuite you are requesting the use of weak
ciphers that are permitted under (now changed) US export regulations and
you are also disabling strong ciphers.

b) new versions of OpenSSL don't actually allow the weakest ciphers,
they are disabled at compile time (unless you recompile OpenSSL or use
an older OpenSSL)

so you end up with a situation where the ciphers you chose by using
ExportableSuite are not active at all.

Maybe ExportableSuite should simply be dropped from the code given this
scenario?  People can still manually specify cipher lists as strings if
necessary for customization and compatibility with older OpenSSL and
related products.

Is there a specific reason you can't just use StrongestSuite?

http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status