Le 2015-12-08 21:58, christos%astron.com@localhost a écrit :Why not supply the ! list (the ones you want to remove)... It is shorterand easier to understand and maintain...
I agree, much simpler! On 2015-12-09 08:30, Jean-Yves Migeon wrote:
I would dump 3DES and CAMELLIA (less review + hardware acceleration support) and also dump TLS 1.0 (SSL_OP_NO_TLSv1) due to BEAST.
Good catch, thank you!
Le 2015-12-08 23:23, Joerg Sonnenberger a écrit :I have some serious concerns about the cipher order. AES-GCM should onlybe used as default choice if there is hardware acceleration for it. The resistence against timing attacks is very questionable otherwise.This argument may apply to CBC with lucky 13, somehow. TBH the proposed modification does not make things worse compared to the previous state
This discussion made something apparent to me that I had not considered before.
Perhaps the cipher list should be supplied by a command line argument instead of
being compiled into base so that it can be chosen at runtime? If that sounds like a good choice, I will send an updated patch. Thank you all for your feedback, Travis Paul