On Wed, Jan 22, 2014 at 09:20:13AM +0100, Kurt Roeckx wrote: > On Wed, Jan 22, 2014 at 02:08:58AM +0000, brian m. carlson wrote: > > On Tue, Jan 21, 2014 at 09:49:01PM -0300, Antonio Terceiro wrote: > > > While this is fair enough, I tend to agree with Ruby upstream that if > > > this is a problem in openssl, it should be fixed there and not in every > > > SSL client that uses OpenSSL: > > > > > > $ apt-cache rdepends libssl1.0.0 | wc -l > > > 743 > > > > According to man ciphers(1ssl): > > > > DEFAULT > > the default cipher list. This is determined at compile time and, > > as of OpenSSL 1.0.0, is normally ALL:!aNULL:!eNULL. This must be > > the first cipher string specified. > > aNULL > > the cipher suites offering no authentication. > > > > So the default in OpenSSL is not to offer cipher suites that don't > > provide authentication. Ruby must therefore be overriding this. > > You might also want to read: > http://openssl.6102.n7.nabble.com/openssl-org-3231-default-ciphers-include-insecure-export-cipher-suites-td48106.html
OK, I got it. Thanks brian and Kurt for the clarifications. Just one more question. If I go to https://www.howsmyssl.com/ with iceweasel, or if I get https://www.howsmyssl.com/a/check with curl, both still say my SSL is in a bad state. It looks like everyone is using their own custom cipher list, then, and every reverse dependency of openssl needs to be audited for this? -- Antonio Terceiro <terce...@debian.org>
signature.asc
Description: Digital signature