[Cryptography] OpenSSL minimal "safe" configuration?

[Viktor Dukhovni]

> On Jan 13, 2016, at 5:20 PM, Ray Dillinger <bear at sonic.net> wrote:
> 
> I would argue that MD5, single-DES, and export-grade crypto are
> so poisonous at this point that anything depending on them needs
> to be terminated with extreme prejudice.  If it's required for
> TLS versions before 1.2, that is an indication that compatibility
> with TLS versions before 1.2 must be dropped like a hot rock.
> 
> If you want to make a fork named InsecureSSL that supports that stuff
> for backward compatibility, that would be fine. But it shouldn't
> be in the same tool people are using for secure operations.
> 
> I support Henry in his goal and would vastly prefer an OpenSSL that
> flatly refused to use known insecure algorithms.

You and Henry will be able to use that version of the software safely
on your own private Internet.

For the rest of the world, being able to communicate trumps all other
concerns, and if security breaks communication, security will be turned
off, not communication.

OpenSSL is getting improved, and weaker algorithms are being disabled
in default configurations, and refused when proposed inappropriately,
downgrade issues that are implementation errors (rather than protocol
issues) are getting fixed.

For now, default configurations will be vulnerable to mostly impractical
cost 2^67 attacks.  Upgrading the Internet so that only a negligible set
of peers support only SHA-1/MD5 will take a few years.  In the mean time
these will need to remain supported.  When communicating with a known
to be TLSv1.2-capable peer, applications will be able to disable lower
protocol versions and disable weak signature algorithms.

Removing support for TLS 1.0/1.1 is not going to happen any time soon.
The real world sometimes imposes constraints one might not like.

-- 
	Viktor.