Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20141014083643.1e0ab89e.reed@reedloden.com>
Date: Tue, 14 Oct 2014 08:36:43 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com
Subject: Re: Truly scary SSL 3.0 vuln to be revealed soon:

On Tue, 14 Oct 2014 08:23:23 -0700
Alex Gaynor <alex.gaynor@...il.com> wrote:

> At what point are we going to decide that it's absurd for every single TLS
> deployment to need to reconfigure everything in order to achieve strong
> security, and say that OpenSSL (or even Apache/Nginx/HAProxy/etc.) should
> just configure things reasonably out of the box?

I agree, but the OpenSSL folks have always been fairly resistant to
changing things that might "break compatibility", or at least it seems
that way.

This same type of argument came up when trying to get Ruby to use
better OpenSSL settings by default
(https://bugs.ruby-lang.org/issues/9424). Everybody wants to blame
somebody else. Nobody wants to possibly be on the hook when things
break.

~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.