Re: [reSIProcate] Question about last CipherList changes (StrongestSuite and ExportableSuite)
Hi Daniel,
Thank you for your explanations. I was not aware of those details related to
ciphers and US export regulations. In the next days I will change default value
in my software using StrongestSuite and I will execute interoperability tests
with previous versions.
Best regards,
Dario
> On 30/mag/2015, at 21:44, "Daniel Pocock" <daniel@xxxxxxxxxx> wrote:
>
>
>
>> On 29/05/15 12:04, Dario Bozzali wrote:
>>
>>
>> I noticed that StrongestSuite and ExportableSuite ChiperLists have been
>> changed in last revision and that default value for ChiperList in
>> BaseSecurity is now StrongestSuite instead of ExportableSuite.
>>
>>
>>
>> Could someone help me? Did someone execute similar tests using TLS with
>> the last revision of reSIProcate library?
>
>
> The fundamental problem here is that:
>
> a) when you specify ExportableSuite you are requesting the use of weak
> ciphers that are permitted under (now changed) US export regulations and
> you are also disabling strong ciphers.
>
> b) new versions of OpenSSL don't actually allow the weakest ciphers,
> they are disabled at compile time (unless you recompile OpenSSL or use
> an older OpenSSL)
>
> so you end up with a situation where the ciphers you chose by using
> ExportableSuite are not active at all.
>
> Maybe ExportableSuite should simply be dropped from the code given this
> scenario? People can still manually specify cipher lists as strings if
> necessary for customization and compatibility with older OpenSSL and
> related products.
>
> Is there a specific reason you can't just use StrongestSuite?
>
> http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel@xxxxxxxxxxxxxxx
> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel