[Pkg-openssl-devel] Bug#736287: ruby1.9.1: insecure SSL defaults (DES and unauthenticated ciphers)
Kurt Roeckx
kurt at roeckx.be
Wed Jan 22 08:20:13 UTC 2014
On Wed, Jan 22, 2014 at 02:08:58AM +0000, brian m. carlson wrote:
> On Tue, Jan 21, 2014 at 09:49:01PM -0300, Antonio Terceiro wrote:
> > While this is fair enough, I tend to agree with Ruby upstream that if
> > this is a problem in openssl, it should be fixed there and not in every
> > SSL client that uses OpenSSL:
> >
> > $ apt-cache rdepends libssl1.0.0 | wc -l
> > 743
>
> According to man ciphers(1ssl):
>
> DEFAULT
> the default cipher list. This is determined at compile time and,
> as of OpenSSL 1.0.0, is normally ALL:!aNULL:!eNULL. This must be
> the first cipher string specified.
> aNULL
> the cipher suites offering no authentication.
>
> So the default in OpenSSL is not to offer cipher suites that don't
> provide authentication. Ruby must therefore be overriding this.
You might also want to read:
http://openssl.6102.n7.nabble.com/openssl-org-3231-default-ciphers-include-insecure-export-cipher-suites-td48106.html
Kurt
More information about the Pkg-openssl-devel
mailing list