[Pkg-openssl-devel] Bug#736687: Bug#736687: libssl1.0.0: default cipher list contains insecure ciphers
Adrian Bunk
bunk at stusta.de
Sun Oct 30 21:35:23 UTC 2016
Control: severity -1 serious
On Sun, Jan 26, 2014 at 12:07:52PM +0100, Kurt Roeckx wrote:
>...
> I guess the problem with changing the default is that nobody is
> using the default because it doesn't make any sense, so the impact
> of changing the default in openssl will be small.
>...
Unfortunately this is not true.
I just verified with konqueror in unstable that it does offer RC4
ciphers, and does no longer offer them after rebuilding OpenSSL with
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4"
I am raising this to RC severity since 1.0.2 will likely still be
shipped in stretch, and removing ciphers from the 1.0.2 defaults
that were already removed from the 1.1.0 defaults should clearly
be done for stretch.
Whether this should also be done for jessie is a separate question,
the risk of such a change causing regressions in existing setups is
a potential concern here since many users are getting stable updates
installed automatically.
> Kurt
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
More information about the Pkg-openssl-devel
mailing list