[Pkg-openssl-devel] Bug#778747: Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

Kurt Roeckx kurt at roeckx.be
Sat Feb 21 17:57:35 UTC 2015


On Sat, Feb 21, 2015 at 06:22:40PM +0100, Vincent Bernat wrote:
>  ? 21 février 2015 17:50 +0100, Kurt Roeckx <kurt at roeckx.be> :
> 
> >> > Do you know what the minimum changes requirements are to get an
> >> > A(+)?
> >> > I'm guessing it requires at least this in wheezy:
> >> > - SSLProtocol all -SSLv3
> >> > - SSLHonorCipherOrder off
> >> >
> >> > It might require you to disable RC4, but if that's the case we
> >> > should probably talk to Qualsys about it.
> >> 
> >> Yes, grade capped to B if accepting RC4. I see two possibilities for
> >> this choice: either downgrade attacks (when not circumvented), either it
> >> is considered preferable to use AES or even 3DES (BEAST attack being
> >> prevented on server-side).
> >
> > I don't see how you're going to do a downgrade attack to RC4.  Yes
> > clients like IE will enable RC4 on a fallback.  But if the server
> > supports something other than RC4 it should still pick that other
> > thing.
> 
> I suppose it is considered safer to not propose RC4 at all. If the
> server has responsability of the data, it shouldn't propose an unsafe
> protocol at all even when the client is not supposed to ask for
> it. That's pure speculation, I am not informed enough.

So maybe this will clear things up for you:
- The client sends a list of ciphers it supports, this has an
  order
- The server is supposed to pick the first one of that list that
  it also supports, and that's what it does with
  SSLHonorCipherOrder on 
- If you turn SSLHonorCipherOrder off it will use it's own list
  and pick the first the client supports

If the client and server support a common cipher that's before RC4
in the list, it shouldn't pick RC4.

I would like to point out that DEFAULT includes things like EXPORT
ciphers supporting 40 bit security, LOW including 56 bit security.
RC4 is still better then those and is currently in MEDIUM.

As far as I know, apache's default (in Debian?) is:
HIGH:MEDIUM:!aNULL:!MD5

Which has all the RC4 ciphers at the end of the support ciphers.


Kurt



More information about the Pkg-openssl-devel mailing list