httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Champion <>
Subject Re: Requesting review for SSL how-to changes (r1757280)
Date Thu, 25 Aug 2016 22:09:32 GMT
On 08/25/2016 02:37 PM, Yann Ylavic wrote:
> I find this CipherSuite quite evolutive and unsurprising (key exchange
> algorithms don't change or are introduced too often, that's an
> euphemism :), if a cipher proves to be weak, add it to the :!END and
> be done (like RC4 and 3DES recently).

To be clear, I'm not arguing that forward-facing cipherstrings don't 
have advantages. They absolutely do, and I don't disagree with your points.

> Contrarywise with the exhaustive list method, if you upgrade e.g. from
> openssl 1.0 to 1.1 you have to figure out what the new strong ciphers
> are before adding them (like CHACHA/POLY1305, or CHACHA-GCM with
> libreSSL, or ..).

(Note that ChaCha/Poly is handled here already. But your point still 

I suspect that it's a matter of preference at this point. Since this is 
the "strong cipher recommendation", where it is (IMO) more important to 
ban weak ciphers than to enable the absolute latest and greatest, I'd 
rather have to do work on an upgrade to expand a whitelist than run the 
risk of missing an item in a blacklist. But that's just me.

Anyone else feel strongly one way or another?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message