From: Bill Kelly <billk@...>
Date: 2014-01-22T00:57:03-08:00
Subject: [ruby-core:59969] Re: [ruby-trunk - Bug #9424] ruby 1.9 & 2.x has insecure SSL/TLS client defaults

shyouhei@ruby-lang.org wrote:
> 
> We are amateur about security.  It might be possible to change
> something, then we have no idea what happens with that modification
> and even worse, we cannot maintain that bit when security research
> develops and turned out our change was in fact ill.

I am also an amateur.  But I read the logic of your statement above as
being in favor of discarding security research that /already exists/
about the weak ciphers and protocol versions.

But: if we are to disregard current research, should not the reason given
be something other than concern over possible future research?


With regard to maintenance, could it be useful to incorporate a check
like https://gist.github.com/cscotta/8302049 in the form of an automated
test which can be run by maintainers prior to the release of a new version
of ruby?  The idea being that such a test may assist in proactively warning
maintainers if/when further improvements to ruby's OpenSSL defaults are
warranted.



Regards,

Bill