[Pkg-openssl-devel] Bug#779669: OpenSSL: consider completely disabling EXPORT cipher suites

Török Edwin edwin at etorok.net
Tue Mar 3 20:45:41 UTC 2015


Package: libssl1.0.0
Version: 1.0.1k-1
Severity: normal

Dear Maintainer,

CVE-2015-0204 [1] happened because OpenSSL still had code supporting export
cipher suites.
LibreSSL has disabled the use of export cipher suites [2] and all the code
relating to use of export RSA [3]

Although I'd much rather replace OpenSSL with LibreSSL on my box, it is not
ready yet for Jessie or unstable even [4], so meantime
can you consider disabling the export suites in OpenSSL like LibreSSL did, and
like you've done for SSLv3?
Perhaps something to discuss with upstream to provide a flag for that, although
maybe the correct thing to do would be to remove that code from upstream as
well.

[1]
https://github.com/openssl/openssl/commit/ce325c60c74b0fa784f5872404b722e120e5cab0
[2] https://github.com/libressl-
portable/openbsd/commit/9e3c8206e0f32386e79956dfa4a26bbfdb3dd10d
[3] https://github.com/libressl-
portable/openbsd/commit/b0a3dc11e2f40da00441447a359ed16e8c578e44
[4] https://github.com/libressl-
portable/openbsd/commit/9e3c8206e0f32386e79956dfa4a26bbfdb3dd10d



-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]  1.5.55
ii  libc6                  2.19-15
ii  multiarch-support      2.19-15

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

-- debconf information:
  libssl1.0.0/restart-services:
  libssl1.0.0/restart-failed:



More information about the Pkg-openssl-devel mailing list