[Pkg-openssl-devel] Bug#779669: OpenSSL: consider completely disabling EXPORT cipher suites
Török Edwin
edwin at etorok.net
Tue Mar 3 20:45:41 UTC 2015
Package: libssl1.0.0
Version: 1.0.1k-1
Severity: normal
Dear Maintainer,
CVE-2015-0204 [1] happened because OpenSSL still had code supporting export
cipher suites.
LibreSSL has disabled the use of export cipher suites [2] and all the code
relating to use of export RSA [3]
Although I'd much rather replace OpenSSL with LibreSSL on my box, it is not
ready yet for Jessie or unstable even [4], so meantime
can you consider disabling the export suites in OpenSSL like LibreSSL did, and
like you've done for SSLv3?
Perhaps something to discuss with upstream to provide a flag for that, although
maybe the correct thing to do would be to remove that code from upstream as
well.
[1]
https://github.com/openssl/openssl/commit/ce325c60c74b0fa784f5872404b722e120e5cab0
[2] https://github.com/libressl-
portable/openbsd/commit/9e3c8206e0f32386e79956dfa4a26bbfdb3dd10d
[3] https://github.com/libressl-
portable/openbsd/commit/b0a3dc11e2f40da00441447a359ed16e8c578e44
[4] https://github.com/libressl-
portable/openbsd/commit/9e3c8206e0f32386e79956dfa4a26bbfdb3dd10d
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libssl1.0.0 depends on:
ii debconf [debconf-2.0] 1.5.55
ii libc6 2.19-15
ii multiarch-support 2.19-15
libssl1.0.0 recommends no packages.
libssl1.0.0 suggests no packages.
-- debconf information:
libssl1.0.0/restart-services:
libssl1.0.0/restart-failed:
More information about the Pkg-openssl-devel
mailing list