[Cryptography] OpenSSL minimal "safe" configuration?

[Paul Wouters]

On Mon, 18 Jan 2016, John Gilmore wrote:

> I am sympathetic, but have just had two experiences that suggest
> slash-and-burn-the-insecure-crap may not be the best approach.
>
> I am having trouble with ssh-ing to various boxes around my office now
> that I've "upgraded" the security of ssh to avoid low security D-H.
> Turns out that many embedded systems are not interoperable with
> curve25519, so if you disable ssh-ing out with low security stuff,
> rather than just making curve25519 the preferred default, ssh
> connections fail.

RSA should not be disabled, only DSS. And yes, I had similar issues
where the ssh client went from doing dss keys to not doing dss keys
without any kind of warning for me to upgrade my keys, thereby locking
me out of several boxes (since I don't allow password authentication)
until I added this to my .ssh/config file:

 	Host *
 	PubkeyAcceptedKeyTypes=+ssh-dss

So that at least I could generate a new RSA key and update all my
machines. openssh should have really had a few versions where they
gave a clear warning about disabling this key in the future.

> Similarly, some people are now having trouble sending me email,
> because my MTA doesn't use the latest Diffie-Hellman parameters.
> STARTSSL, as implemented in the field, has this curious attribute that
> if the command is not recognized, the mail gets delivered in
> plaintext; but if the command is recognized and then the SSL
> negotiation fails, the mail is not delivered, remains queued at the
> sender, and is eventually dropped.  When email senders disable older
> D-H parameters, they don't fall back to plaintext, they create an
> inability to communicate.

I'll leave that to Viktor to explain :)

Paul