#1323 remove export cipher suites from OpenSSL preference list

closed-fixed
SSL/TLS (37)
5
2014-01-11
2014-01-09
Jeff Hodges
No

Curl, built against OpenSSL, currently includes export strength cipher suites in its TLS ClientHello. This is problematic because those cipher suites use only 40-bit keys making them easy to brute force. 128-bit keys are the current minimum recommended key size.

This was found by using the latest released curl (7.34.0) to query https://www.howsmyssl.com/a/check

Discussion

  • Jeff Hodges

    Jeff Hodges - 2014-01-09

    I think something similar will happen when using nss, but I've not actually had the chance to confirm that.

     
  • Jeff Hodges

    Jeff Hodges - 2014-01-09

    A naive glance at the code, and getting data from other users, it seems that curl is using whatever the TLS library gives it.

    This is causing users with SecureTransport builds to get NULL cipher suites(!).

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-01-09
    • assigned_to: Daniel Stenberg
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-01-09

    Thanks for the report. Will get to work!

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-01-09
    • summary: remove export cipher suites from preference list --> remove export cipher suites from OpenSSL preference list
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-01-10

    Using a cipher list like below at least removes the "Bad" grading from howsmyssl.com and changes it to "Improvable" (unclear what exactly that means). OpenSSL ciphers are documented here: http://www.openssl.org/docs/apps/ciphers.html

    ~~~~

    curl --ciphers 'ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4' https://www.howsmyssl.com/a/check

     
    Last edit: Daniel Stenberg 2014-01-10
  • Jeff Hodges

    Jeff Hodges - 2014-01-10

    Yeah, that's just due to session tickets not being supported. Don't worry about it. It'll probably be removed Real Soon Now.

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-01-10

    I also posted this patch to the curl-library list for wider review/feedback.

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-01-11
    • status: open --> closed-fixed
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-01-11

    Thanks for your report. I've now pushed the change that changes the default list of ciphers as previously mentioned. Case closed!

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks