[reSIProcate] Question about last CipherList changes (StrongestSuite and ExportableSuite)
Daniel Pocock
daniel at pocock.pro
Sat May 30 14:43:29 CDT 2015
On 29/05/15 12:04, Dario Bozzali wrote:
>
> I noticed that StrongestSuite and ExportableSuite ChiperLists have been
> changed in last revision and that default value for ChiperList in
> BaseSecurity is now StrongestSuite instead of ExportableSuite.
>
>
>
> Could someone help me? Did someone execute similar tests using TLS with
> the last revision of reSIProcate library?
>
The fundamental problem here is that:
a) when you specify ExportableSuite you are requesting the use of weak
ciphers that are permitted under (now changed) US export regulations and
you are also disabling strong ciphers.
b) new versions of OpenSSL don't actually allow the weakest ciphers,
they are disabled at compile time (unless you recompile OpenSSL or use
an older OpenSSL)
so you end up with a situation where the ciphers you chose by using
ExportableSuite are not active at all.
Maybe ExportableSuite should simply be dropped from the code given this
scenario? People can still manually specify cipher lists as strings if
necessary for customization and compatibility with older OpenSSL and
related products.
Is there a specific reason you can't just use StrongestSuite?
http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
More information about the resiprocate-devel
mailing list