> From: [email protected] On Behalf Of Kurt Roeckx via RT > Sent: Monday, January 13, 2014 13:35
> On Mon, Jan 13, 2014 at 05:25:55PM +0100, Jeff Hodges via RT wrote: > > We've been testing clients using OpenSSL against > > https://howsmyssl.com/a/check and noticed that those using > > the OpenSSL_add_all_algorithms() have insecure export cipher suites Aside: add_all_algorithms shouldn't affect suites offered or accepted. add_ssl_algorithms aka SSL_library_init provides all suite primitives, although in old versions (IIRC 0.9.8) it may not enable SHA-2 *certs* and some *PBEs* that might be needed for the privatekey file(s). > > included by default. These cipher suites are using keys less than the > > currently recommended 128-bit keys. > > By whom? NIST 800-57 only demands 112-bit strength through 2030. That allows "3DES" (TDEA) as below. (Note we want strength not size. For *most* symmetric ciphers key size equals strength, but not for TDEA as you note below, and for asymmetric and hash not even close.) > > For instance, curl was burned by this: > > http://sourceforge.net/p/curl/bugs/1323/ <snip> > <snip> One major problem is that you don't always have control over the > other side you're talking to. <snip> > I think we all want to have as goal that we want to have at least > 128 bit over the whole chain. The question is what you use as > default and when you drop some things. > Or 112. If you believe NIST, they rated 128 strength to require RSA, DSA or DH at 3072 which I see almost no one doing, though RSA *2048* is now finally widespread and rated 112. (For ECC it seems people are using P-256, which is 128.) Either 112 or 128 nominally requires SHA-2 certs, which still seem rare. In the abstract they also require SHA-2 HMAC and thus TLSv1.2, but HMAC is realtime only so that's much less vital. > According to the manpage, "DEFAULT" currently stands for > "ALL:!aNULL:!eNULL". Maybe that should get changed to > "ALL:!aNULL:!eNULL:!LOW:!EXPORT", dropping anything that > uses 64 bit or less. You'll end up with 3DES which hass 156 > bits but really only provides 112 bit, and RC4 which you might > also want to disable. Then there are still SEED and IDEA, > which you also might want to disable. > Actually since 1.0.0 it's ALL:!aNULL:!eNULL:!SSLv2 . But that effectively removes only RC2-128 (!) and some (not all!) HMAC=MD5 which we don't want at all. The significance is that it causes client Hello to use v3&TLS format which can have extensions, instead of v2-compatible which does not. > Basicly you only want AES and Camellia, but you'll need > 3DES or RC4 to be able to talk to some people. > Yes. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
