From: KOSAKI Motohiro Date: 2014-01-27T18:57:54-05:00 Subject: [ruby-core:60148] Re: [ruby-trunk - Bug #9424] ruby 1.9 & 2.x has insecure SSL/TLS client defaults On Sun, Jan 26, 2014 at 10:44 PM, wrote: > Issue #9424 has been updated by Yusuke Endoh. > > > Martin Bosslet wrote: >> a) I want to apologize for overlooking this > > Ah, you don't need to apologize at all! I just wanted to clarify what is relieved and what is not. > > >> Like @shyouhei, I still believe the best solution would be asking OpenSSL to fix this for all of us. > > Me too, but I'm curious about the reason why OpenSSL people don't "improve" the defaults. > (OT: insecure default is not a bug itself; I'd like to use "improve" rather than "fix".) > > One possible answer: They are simply unable, due to various reasons such as compatibility, lack of resource, etc. They have intention of doing that in the future. There is no problem in this case. > > Another answer: Their goal is just to provide toolkit, and secure defaults are out of scope. In this case, they won't improve it. (I have no intention of blaming them. Deciding secure defaults is a hard task. Effort allocation looks quite reasonable to me.) Anyway, I'm afraid if just waiting will not solve our issue in this case. > I'm afraid I'm missing something. But I'd like to ask first. Why do nobody ask OpenSSL first? They only can answer their intension. I don't think debate a guess on this list is a good idea. I believe the best way is a fixing by OpenSSL because, as you pointed out, either Ruby and OpenSSL can not make secure Ruby + old OpenSSL case. Therefore, to workaround for old OpenSSL is a pointless. I agree security is important and Ruby sometimes accepted a workaround patch and should do in the future too, if we really need to do. But I disagree just to continue a guess talk. Fixing right place is always better than a workaround. I hope my stand point is close to yours.