Changes made by openssl/better_defaults¶ ↑

Miscellaneous resources¶ ↑

1. www.ruby-lang.org/en/news/2014/10/27/changing-default-settings-of-ext-openssl

2. en.wikipedia.org/wiki/Transport_Layer_Security

3. wiki.mozilla.org/Security/Server_Side_TLS

4. ssllabs.com

5. ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf

Rationale for disabling features¶ ↑

Reason          | Disabled features               | Notes
==============================================================================
                | SSL 2.0                         | https://tools.ietf.org/html/rfc6176
BEST, LUCKY13   | SSL 3.0 Ciphers using CBC mode  |
POODLE          | SSL 3.0                         |
RC4 weaknesses  | All RC4-based ciphers           |
CRIME           | TLS Compression                 | http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

Note on CRIME/BREACH¶ ↑

Disabling TLS compression avoids CRIME at the TLS level. However, both CRIME and BREACH can be used against HTTP compression­– which is entirely out of the scope of this library.

See also, en.wikipedia.org/wiki/CRIME

Note on SSL/TLS versions¶ ↑

Instead of being able to specify a minimum SSL version, OpenSSL only lets you either enable an individual version, or enable everything.

Individual options for disabling SSL 2.0 and SSL 3.0 are also available.

Thus, to enable TLS 1.0+ only, you have to:

1. Enable SSL 2.0+ (set ssl_version to “SSLv23”), then

2. disable SSL 2.0 (OP_NO_SSLv2) and SSL 3.0 (OP_NO_SSLv2).