[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] OpenSSL egg option defaults poll
From: |
Thomas Chust |
Subject: |
Re: [Chicken-users] OpenSSL egg option defaults poll |
Date: |
Sun, 26 Oct 2014 19:58:22 +0100 (CET) |
User-agent: |
Alpine 2.03 (LNX 1266 2009-07-14) |
On Thu, 16 Oct 2014, Thomas Chust wrote:
[...]
So I would like to poll for opinions from people on this list concerning this
situation. Do you think the default options in the OpenSSL egg should be
"hardened"? Do you think more options should be introduced? Is compatibility
with the rest of the internet a concern at all? ;-)
[...]
Hello,
judging by the responses you wrote, there seems to be an interest in more
secure defaults indeed.
I looked over the OpenSSL egg API again to see how it could be improved
with better default options and figured that some additional constructor
parameters would be useful but there were already too many optional
parameters in my opinion.
Therefore I took another route: The existing procedures keep their current
defaults, but there is a new set of object constructors that uses only
keyword arguments and configures things in a more secure way by default.
The latest SVN trunk of the OpenSSL egg includes the following additions:
[parameter] ssl-default-certificate-authority-directory
Holds the default directory with acceptable certificate authorities.
[procedure] (ssl-make-client-context* #!key
((protocol <symbol>) 'tls) ((cipher-list <string|list>) "HIGH")
((certificate-authorities <string>) #f)
((certificate-authority-directory <string>) #f)
((verify? <boolean>) #t))
Creates a new client context. Defaults to TLS protocol using only
ciphers marked as strong. Loads the certificate authorities from the
default directory unless other sources are specified and switches
server certificate verification on by default.
[procedure] (ssl-connect* #!key
(hostname <string>) (port <exact>)
((protocol <symbol>) 'tls) ((cipher-list <string|list>) "HIGH")
((certificate-authorities <string>) #f)
((certificate-authority-directory <string>) #f)
((verify? <boolean>) #t))
Connects to a server using the same defaults as
ssl-make-client-context*
[procedure] (ssl-listen* #!key
(hostname <string>) ((port <exact>) #f) ((backlog <exact>) 4)
((protocol <symbol>) 'tls) ((cipher-list <string|list>) "HIGH")
(certificate <string>) (private-key <string>)
((private-key-rsa? <boolean>) #t)
((private-key-asn1? <boolean>) #f))
((certificate-authorities <string>) #f)
((certificate-authority-directory <string>) #f)
((verify? <boolean>) #t))
Creates a listener. Defaults to TLS protocol using only ciphers marked
as strong. Loads the certificate authorities from the default
directory unless other sources are specified but doesn't switch client
certificate verification on by default. Advertises the certificates
loaded via the certificate-authorities argument to the client.
I'd be glad if some of you could test this out and tell me what you think
about it :-)
Ciao,
Thomas
--
When C++ is your hammer, every problem looks like your thumb.
- Re: [Chicken-users] OpenSSL egg option defaults poll, (continued)
- Re: [Chicken-users] OpenSSL egg option defaults poll, Sascha Ziemann, 2014/10/16
- Re: [Chicken-users] OpenSSL egg option defaults poll, Christian Kellermann, 2014/10/16
- Re: [Chicken-users] OpenSSL egg option defaults poll, Florian Zumbiehl, 2014/10/16
- Re: [Chicken-users] OpenSSL egg option defaults poll,
Thomas Chust <=
- Re: [Chicken-users] OpenSSL egg option defaults poll, Andy Bennett, 2014/10/27
- Re: [Chicken-users] OpenSSL egg option defaults poll, Florian Zumbiehl, 2014/10/28
- Re: [Chicken-users] OpenSSL egg option defaults poll, Peter Bex, 2014/10/28
- Re: [Chicken-users] OpenSSL egg option defaults poll, Thomas Chust, 2014/10/28
- Re: [Chicken-users] OpenSSL egg option defaults poll, Florian Zumbiehl, 2014/10/28
- Re: [Chicken-users] OpenSSL egg option defaults poll, John Cowan, 2014/10/28
- Re: [Chicken-users] OpenSSL egg option defaults poll, Thomas Chust, 2014/10/29
- Re: [Chicken-users] OpenSSL egg option defaults poll, Florian Zumbiehl, 2014/10/29