[Pkg-openssl-devel] Bug#736287: Bug#736287: ruby1.9.1: insecure SSL defaults (DES and unauthenticated ciphers)

Antonio Terceiro terceiro at debian.org
Wed Jan 22 11:10:53 UTC 2014


On Wed, Jan 22, 2014 at 09:20:13AM +0100, Kurt Roeckx wrote:
> On Wed, Jan 22, 2014 at 02:08:58AM +0000, brian m. carlson wrote:
> > On Tue, Jan 21, 2014 at 09:49:01PM -0300, Antonio Terceiro wrote:
> > > While this is fair enough, I tend to agree with Ruby upstream that if
> > > this is a problem in openssl, it should be fixed there and not in every
> > > SSL client that uses OpenSSL:
> > > 
> > > $ apt-cache rdepends libssl1.0.0 | wc -l
> > > 743
> > 
> > According to man ciphers(1ssl):
> > 
> >   DEFAULT
> >       the default cipher list. This is determined at compile time and,
> >       as of OpenSSL 1.0.0, is normally ALL:!aNULL:!eNULL. This must be
> >       the first cipher string specified.
> >   aNULL
> >       the cipher suites offering no authentication.
> > 
> > So the default in OpenSSL is not to offer cipher suites that don't
> > provide authentication.  Ruby must therefore be overriding this.
> 
> You might also want to read:
> http://openssl.6102.n7.nabble.com/openssl-org-3231-default-ciphers-include-insecure-export-cipher-suites-td48106.html

OK, I got it. Thanks brian and Kurt for the clarifications.

Just one more question. If I go to https://www.howsmyssl.com/ with
iceweasel, or if I get https://www.howsmyssl.com/a/check with curl, both
still say my SSL is in a bad state.

It looks like everyone is using their own custom cipher list, then, and
every reverse dependency of openssl needs to be audited for this?

-- 
Antonio Terceiro <terceiro at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20140122/4438a839/attachment.sig>


More information about the Pkg-openssl-devel mailing list