[Pkg-openssl-devel] Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

Florian Schlichting fsfs at debian.org
Sun Feb 22 00:49:16 UTC 2015 

On Fri, Feb 20, 2015 at 10:50:20PM +0100, Kurt Roeckx wrote:
> On Fri, Feb 20, 2015 at 10:08:48PM +0100, Florian Schlichting wrote:
> > | RC4                       377778    80.5871
> > | RC4 Only                  3712      0.7918
> > | RC4 Preferred             64613     13.7832
> > | RC4 forced in TLS1.1+     41031     8.7527
> > | x:FF 29 RC4 Only          541       0.1154
> > | x:FF 29 RC4 Preferred     70622     15.065
> > | x:FF 29 incompatible      136       0.029
> > ...
> 
> One of the probloms is those servers that currently prefer/force RC4
> if it's available.  That is administrators who have actually
> configured things in such a way.  Removing RC4 from the default
> will not fix any of them.  It's that 13.7% that is the problem.

For a client using DEFAULT, removing RC4 will "fix" their connections to
exactly those 13.7% of servers. That's what this bug is trying to
achieve. The cost is the 0.79% of servers where this change will lead to
a handshake failure due to no common cipher being available any more.

> Please note that RC4 in the default configuration should never be
> negiotated by modern clients and servers.  The problem is
> administrators who think they know better changed somethign not to
> use the defaults.  If we adjust the defaults it's not going to fix
> anything.

I disagree. A server that's still configured to use RC4-SHA:HIGH:!ADH as
was initially recommended to mitigate the BEAST attack [0] will
negotiate an RC4 cipher. If I use a client with an adjusted DEFAULT to
connect to that server, RC4 will not be negotiated, and a better cipher
will likely be used instead. So ill-adviced choices by administrators on
remote systems _can_ be fixed by good defaults on Debian systems (within
limits, of course).

[0] https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls


> I would like to point out that DEFAULT includes things like EXPORT
> ciphers supporting 40 bit security, LOW including 56 bit security.
> RC4 is still better then those and is currently in MEDIUM.

Why are these included in DEFAULT? Are you arguing that 40bit EXPORT
ciphers are generally good enough to protect SSL/TLS sessions, in a
world where we know there are third parties listening in on all
long-range connections, and potential man-in-the-middle situations are
commonplace for all wireless devices?

> As far as I know, apache's default (in Debian?) is:
> HIGH:MEDIUM:!aNULL:!MD5

I guess I would like openssl to change its DEFAULT cipher list to be
HIGH:MEDIUM:!aNULL:!MD5:!RC4

BTW Apache's default in Debian Jessie is a lot stricter, and already
doesn't include RC4 ciphers:

    SSLCipherSuite HIGH:!aNULL
    SSLProtocol all -SSLv3

So we're not talking about protecting default Debian Apache setups. And
we're not talking about Debian users of Iceweasel or Chromium (which
don't use OpenSSL). As I wrote before, I think we should be talking
about the hundreds of applications that use openssl "for encryption",
and rely on it to produce something sensibly secure, for 2015, 2018 and
perhaps beyond.

RFC 7465 has been adopted for a reason. Let's take that seriously,
please?

Florian

More information about the Pkg-openssl-devel mailing list