<div dir="ltr"><div>Hi Fred!<br></div><div><br></div><div>Agree that a mapping functions are good. That is sort of why we like to accomplish with suite_to_str and we are working on the inverse. They will use the RFC-names that are more general and better documented. But most</div><div>of the code to create the OpenSSL names exist so maybe we will expose that too as a utility function. Although we do not want to be dependent on OpenSSL configuration, we only want to have dependencies to its cryptolib. <br></div><div><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB<br></div><br><div id=":1ws" style="-moz-user-select: none;" class="ajR" tabindex="-1"><div id=":1wr" class="uC"><img class="ajT" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div><div class="gmail_quote"><div dir="ltr">Den fre 4 jan. 2019 kl 17:32 skrev Fred Hebert <<a href="mailto:mononcqc@ferd.ca">mononcqc@ferd.ca</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 01/04, Ingela Andin wrote:<br>
>Hi again!<br>
><br>
>Maybe I should add that using filters where you can access each logical<br>
>part of the cipher suite is a more powerful way to customize cipher suites<br>
>than regular expressions over complex strings.<br>
>Also see ssl User Guide <a href="http://erlang.org/doc/search/?q=ssl&x=0&y=0" rel="noreferrer" target="_blank">http://erlang.org/doc/search/?q=ssl&x=0&y=0</a> section<br>
>3.2<br>
><br>
<br>
Agreed, it's more powerful.<br>
<br>
But when working with established teams and policies, having a unique <br>
format just for Erlang tends to be problematic as non-standard. In some <br>
places where I've been, if you can't get the security team to approve <br>
the list, you are not greenlit to go to prod.<br>
<br>
It's much, much simpler to work with non-erlang folks when we have a way <br>
to more easily communicate and review the lists -- mostly there may just <br>
be a list that will be adopted by all stacks, whether they're Erlang, <br>
Go, C#, ruby, or servers like nginx, and so on.<br>
<br>
At least getting the direct mapping between both can be very useful to <br>
validate filtering rules and everything else :)<br>
</blockquote></div></div>