[Ach] Vote for new Cipherstring B [Was: Issue with OpenSSL >0.9.8l]

Pepi Zawodsky pepi.zawodsky at maclemon.at
Fri May 16 15:16:01 CEST 2014


On 16.05.2014, at 15:03, Hanno Böck <hanno at hboeck.de> wrote:
> how to have a cipher string that's good
> for old openssl versions, right?
> 
> Well, I think this is rather pointless. Basically, if someone asks "How
> can I get better crypto on openssl 0.9.x?" then the only reasonable
> answer is "you don't".
The problem is that many distros still don't have OpenSSL 1.0.1 or some embedded systems/appliances/etc. can't be upgraded or just won't get any vendor love anymore. It is unlikely that those boxes will just get thrown out. So to cope with the terrible reality we really have to support 0.9.8 and “get the most out of it” to do any good. Our recommendation of course IS to upgrade to the latest and greatest [hmm…] cryptostack available.

Having a cipher string that will get the best out of 1.0.1 AND 0.9.8 has the added benefit for the admins that should they upgrade their OpenSSL at some point (distro upgrade, etc.) they would automatically benefit from the better ciphers available there even if they ignore to update their cipher string.
Best regards
Pepi


More information about the Ach mailing list