Re: -ciphers bug

Fri, 08 Mar 2002 13:24:12 -0800 

On Wed, Mar 06, 2002 at 04:43:20PM +0000, Ben Laurie wrote:
> Adam Back wrote:
> > 
> > It seems that if you enable ADH but disable MEDIUM ciphersuites, they
> > get left on anyway.
> > 
> > I guess not too many people enable ADH, but there are scenarios where
> > it is useful, and so this seems like a security bug.
> > 
> > What I did:
> > 
> >         % openssl s_server -state -CApath certs -cipher 'ALL'
> > 
> > and connect to it with
> > 
> >         % openssl s_client -cipher "ADH:\!EXP:\!LOW:!'MEDIUM"
> > 
> > then the server prints:
> > 
> > Shared ciphers:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:ADH-RC4-MD5
> > 
> > ADH-DES-CBC-SHA is single DES and so fails LOW, and shouldn't be in
> > the list.
> 
> Quite so, and this will fix it:
> 
> Index: ssl/s3_lib.c
> ===================================================================
> RCS file: /e/openssl/cvs/openssl/ssl/s3_lib.c,v
> retrieving revision 1.57
> diff -u -r1.57 s3_lib.c
> --- ssl/s3_lib.c        2001/10/20 17:56:35     1.57
> +++ ssl/s3_lib.c        2002/03/06 16:41:55
> @@ -196,7 +196,7 @@
>         SSL3_TXT_ADH_DES_64_CBC_SHA,
>         SSL3_CK_ADH_DES_64_CBC_SHA,
>         SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
> -       SSL_NOT_EXP,
> +       SSL_NOT_EXP|SSL_LOW,
>         0,
>         56,
>         56,
> 
> Just committing now.

I left your message in my queue, because I wanted to check it out again.
* DES_64 is 56 bits long, so it would also qualify as SSL_EXP56!? instead
  of SSL_LOW. This is probably a question of definition. Opinions?
  (The "exportability" is handled seperately by the SSL_NOT_EXP flag...)
* Some other ciphers are also missing the "strength class setting". But
  I would like the first point discussed before filling in.
* Technically, this fix should not only go into 0.9.7-stable but also into
  -dev. Should it also go into 0.9.6-stable?

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to