[Pkg-openssl-devel] Bug#736287: ruby1.9.1: insecure SSL defaults (DES and unauthenticated ciphers)

brian m. carlson sandals at crustytoothpaste.net
Wed Jan 22 02:08:58 UTC 2014 

On Tue, Jan 21, 2014 at 09:49:01PM -0300, Antonio Terceiro wrote:
> While this is fair enough, I tend to agree with Ruby upstream that if
> this is a problem in openssl, it should be fixed there and not in every
> SSL client that uses OpenSSL:
> 
> $ apt-cache rdepends libssl1.0.0 | wc -l
> 743

According to man ciphers(1ssl):

  DEFAULT
      the default cipher list. This is determined at compile time and,
      as of OpenSSL 1.0.0, is normally ALL:!aNULL:!eNULL. This must be
      the first cipher string specified.
  aNULL
      the cipher suites offering no authentication.

So the default in OpenSSL is not to offer cipher suites that don't
provide authentication.  Ruby must therefore be overriding this.  And
honestly, even if OpenSSL is stupid enough to offer low- and
export-strength ciphers, you should not.  Nobody uses them nowadays;
even in embargoed countries like Iran people have strong crypto.

Also, IO::Socket::SSL, the Perl module for SSL/TLS, does not suffer from
this vulnerability.  Try using lwp-request, for example, to visit the
test site.

> I am mostly clueless about SSL/TLS internals, but I suspect that if
> those ciphers are known to be insecure and are still supported by
> default, it is probably to keep compatibility with older servers out
> there? If we drop these insecure ciphers, which fraction of existing
> servers will not be interoperable with a secure SSL/TLS client?

Nobody has intentionally configured their server to support them.  Most
reputable companies consider their presence to be a security
vulnerability.  I am one of several people responsible for security
issues at work, and we do.  If you look at one of the recent entries at
[0] (for example, [1]) and go down to the Handshake Simulation page, all
of those clients, *even IE 6 on XP*, support strong, authenticated
128+-bit crypto.

Disabling these ciphers will not stop anybody from connecting to any
server that is reasonably configured (i.e. not intentionally configured
to provide only extremely weak security).

[0] https://www.ssllabs.com/ssltest/index.html
[1] https://www.ssllabs.com/ssltest/analyze.html?d=crustytoothpaste.net

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20140122/1a9e651c/attachment.sig>

More information about the Pkg-openssl-devel mailing list