Menu

#1324 curl built with SecureTransport includes support for NULL ciphersuites in ClientHello

closed-fixed
Daniel Stenberg
SSL/TLS (37)
5
2014-01-10
2014-01-09
Daniel Stenberg
No

(Copied from http://openradar.appspot.com/radar?id=4788972823773184 with permission)

The version of curl, and presumably libcurl, bundled with mavericks includes support for insecure ciphersuites in the ClientHello by default. These ciphersuites provide no confidentiality of the communications used.

Ideally the client will only support ciphersuites which provide confidentiality.

Steps to Reproduce:

  1. using howsmyssl.com, get a list of the ciphersuites provided in the ClientHello

    curl https://www.howsmyssl.com/a/check

  2. Check the resulting json for given_cipher_suites and insecure_cipher_suites

Expected Results:
insecure_cipher_suites should be empty, and the given_cipher_suites list should only contain ciphersuites that provide confidentiality and integrity protection.

Actual Results:
the cipher suites actually include:

    "TLS_PSK_WITH_NULL_SHA384",
    "TLS_PSK_WITH_NULL_SHA256",
    "TLS_PSK_WITH_NULL_SHA",
    "TLS_RSA_WITH_NULL_SHA256"

The NULL ciphersuite shouldn't be included by default.

Version:
OSX 10.9.1

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2014-01-10
    • status: open --> pending
     

  • Daniel Stenberg

    Daniel Stenberg - 2014-01-10

    Cannot repeat, believed to already be fixed. See:

    http://curl.haxx.se/mail/lib-2014-01/0090.html

     

  • Daniel Stenberg

    Daniel Stenberg - 2014-01-10
    • status: pending --> closed-fixed
     
MongoDB Logo MongoDB