On Thu, 3 Oct 2013, Nick Zitzmann wrote:
So I heard recently that SSL Labs has a new TLS/SSL client test available:
<https://www.ssllabs.com/ssltest/viewMyClient.html>
I already ran my code through it, and it detected support for a NULL
cipher-suite I forgot to block out. Oops. I fixed that and pushed the change
yesterday.
Nice!
I also tried running it with two other SSL back-ends - Schannel (Windows 7)
and OpenSSL (0.9.8). The Schannel back-end showed no weak or insecure
cipher-suites (good) but didn't support TLS 1.2 (I thought it did?).
That's a very old OpenSSL version though. My OpenSSL/1.0.1e supports TLS 1.2
fine.
Meanwhile, the OpenSSL back-end advertised support for a number of weak
suites with only 40- and 56-bit keys. Shouldn't we be blocking those by
default?
We haven't really discussed this, but yes I think we should! The weak ones
this test identifies in my version are:
(Cipher Suites and bit lengths)
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) WEAK 56
TLS_DHE_DSS_WITH_DES_CBC_SHA (0x12) WEAK 56
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) WEAK 40
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x11) WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
