Date: Tue, 14 Oct 2014 08:36:43 -0700 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com Subject: Re: Truly scary SSL 3.0 vuln to be revealed soon: On Tue, 14 Oct 2014 08:23:23 -0700 Alex Gaynor <alex.gaynor@...il.com> wrote: > At what point are we going to decide that it's absurd for every single TLS > deployment to need to reconfigure everything in order to achieve strong > security, and say that OpenSSL (or even Apache/Nginx/HAProxy/etc.) should > just configure things reasonably out of the box? I agree, but the OpenSSL folks have always been fairly resistant to changing things that might "break compatibility", or at least it seems that way. This same type of argument came up when trying to get Ruby to use better OpenSSL settings by default (https://bugs.ruby-lang.org/issues/9424). Everybody wants to blame somebody else. Nobody wants to possibly be on the hook when things break. ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.