From: Bill Kelly Date: 2014-01-22T00:57:03-08:00 Subject: [ruby-core:59969] Re: [ruby-trunk - Bug #9424] ruby 1.9 & 2.x has insecure SSL/TLS client defaults shyouhei@ruby-lang.org wrote: > > We are amateur about security. It might be possible to change > something, then we have no idea what happens with that modification > and even worse, we cannot maintain that bit when security research > develops and turned out our change was in fact ill. I am also an amateur. But I read the logic of your statement above as being in favor of discarding security research that /already exists/ about the weak ciphers and protocol versions. But: if we are to disregard current research, should not the reason given be something other than concern over possible future research? With regard to maintenance, could it be useful to incorporate a check like https://gist.github.com/cscotta/8302049 in the form of an automated test which can be run by maintainers prior to the release of a new version of ruby? The idea being that such a test may assist in proactively warning maintainers if/when further improvements to ruby's OpenSSL defaults are warranted. Regards, Bill