naif <n...@globaleaks.org> added the comment: Well,
with your latest proposal 'HIGH:!aNULL:!eNULL:!SSLv2' : - MD5 was disabled - IDEA was disabled - SEED was disabled Then we realized that RC4 could be a cipher to be leaved enabled, so the new proposal starting from 'DEFAULT'. While i don't like RC4 because it's not FIPS-140 compliant (https://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html) i understand that we may want to keep it. I would suggest by default to keep disabled also CAMELIA and PSK because almost no one use it, they are just into the standard like many ciphers. Generally speaking, as a concept to define a default we could: - Start from a FIPS-140 compliant SSL stack - Open some additional ciphers for compatibility reason (for example RC4-SHA) What do you think about such approach? -naif ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13636> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
