Comment by fc417fc802
17 hours ago
I don't see the issue. "Anything that openssl actively supports" plus providing a default seems like an extremely reasonable stance to take.
17 hours ago
I don't see the issue. "Anything that openssl actively supports" plus providing a default seems like an extremely reasonable stance to take.
>reasonable stance
Within the last 12 months, I had to write a script for a buddy at work that turned off availability of freaking freaking 56 bit DES in OpenSSH, which was available because was provided by openssl. I'm certain it was still there to provide compatibility for something(s) critical out there that depends on it, and while I can't imagine why anybody would choose to use it, it's there and it's awful.
“Supported by OpenSSL” is not a seal of quality in any sense.
It still supports a bunch of outdated crap including (on my system) RC4, RC2(!) and DES (yes, the 56 bit key one, not just 3DES).
Fair point. But what I'm getting at is that if you aren't an expert on cryptography (and perhaps even if you are!) rather than imposing your personal preferences on others simply deferring to a trusted third party library can make a lot of sense.
So in addition to a sensible default I guess it would also be a good idea to tag choices that you believe to be outdated with a large warning. That way you haven't rolled your own crypto, you haven't forced your views on others, but you have done your best to enable end users to operate your tool in a sensible manner.