[Cryptography] OpenSSL minimal "safe" configuration?
John Gilmore
gnu at toad.com
Mon Jan 18 15:35:12 EST 2016
>>> But I really, really object to the idea that being compatible with
>>> insecure crap should be the *DEFAULT* configuration
I am sympathetic, but have just had two experiences that suggest
slash-and-burn-the-insecure-crap may not be the best approach.
I am having trouble with ssh-ing to various boxes around my office now
that I've "upgraded" the security of ssh to avoid low security D-H.
Turns out that many embedded systems are not interoperable with
curve25519, so if you disable ssh-ing out with low security stuff,
rather than just making curve25519 the preferred default, ssh
connections fail.
Similarly, some people are now having trouble sending me email,
because my MTA doesn't use the latest Diffie-Hellman parameters.
STARTSSL, as implemented in the field, has this curious attribute that
if the command is not recognized, the mail gets delivered in
plaintext; but if the command is recognized and then the SSL
negotiation fails, the mail is not delivered, remains queued at the
sender, and is eventually dropped. When email senders disable older
D-H parameters, they don't fall back to plaintext, they create an
inability to communicate.
All this takes even more sysadmin and debugging time than the initial
investment of ten minutes required to "cut the insecure crap" -- and
may require reverting to using insecure crap some of the time.
John
More information about the cryptography
mailing list