subject:"\[Touch\-packages\] \[Bug 1590163\] Re\: disable export grade ciphers"

[Touch-packages] [Bug 1590163] Re: disable export grade ciphers

2022-05-07 Thread Oibaf

This was done in Ubuntu jammy/22.04. See release notes: 
https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668
Security Level 2 is now enforced, see here for some more info: 
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_security_level.html

** Changed in: openssl (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1590163

Title:
  disable export grade ciphers

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  # System

  device: Aquaris BQ E4.5
  OS: Ubuntu 15.04, OTA-11 
  OpenSSL version:
$dpkg --list |grep libssl
  ii  libssl1.0.0:armhf1.0.1f-1ubuntu11.6   
  armhfSecure Sockets Layer toolkit 
- shared libraries

  
  # Observed behaviour

  OpenSSL provides export grade ciphers:

$openssl ciphers -v EXP
  EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 
export
  EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 
export
  EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 
export
  EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 
export
  EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  
export
  EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  
export
  EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  
export

  
  # Expected behaviour

  No export grade ciphers are provided in binaries.

  
  # Rationale

  Export grade ciphers are insecure.  By design.  In response to FREAK and
  Logjam attacks, OpenSSL developers disabled export grade ciphers in
  OpenSSL v1.0.1m (March 2015),
  cf. 
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/>.

  To bypass similar future attacks, deactivation of export grade ciphers should 
be
  backported to 15.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1590163/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1590163] Re: disable export grade ciphers

2016-08-05 Thread Marc Deslauriers

** Changed in: openssl (Ubuntu)
   Status: New => Confirmed

** Changed in: openssl (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1590163

Title:
  disable export grade ciphers

Status in openssl package in Ubuntu:
  Confirmed

Bug description:
  # System

  device: Aquaris BQ E4.5
  OS: Ubuntu 15.04, OTA-11 
  OpenSSL version:
$dpkg --list |grep libssl
  ii  libssl1.0.0:armhf1.0.1f-1ubuntu11.6   
  armhfSecure Sockets Layer toolkit 
- shared libraries

  
  # Observed behaviour

  OpenSSL provides export grade ciphers:

$openssl ciphers -v EXP
  EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 
export
  EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 
export
  EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 
export
  EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 
export
  EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  
export
  EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  
export
  EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  
export

  
  # Expected behaviour

  No export grade ciphers are provided in binaries.

  
  # Rationale

  Export grade ciphers are insecure.  By design.  In response to FREAK and
  Logjam attacks, OpenSSL developers disabled export grade ciphers in
  OpenSSL v1.0.1m (March 2015),
  cf. 
.

  To bypass similar future attacks, deactivation of export grade ciphers should 
be
  backported to 15.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1590163/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1590163] Re: disable export grade ciphers

2016-06-08 Thread Stephan Hennig

The above mentioned command shows that export grade ciphers are supported.  
That doesn't mean they are considered during cipher negotiation or even 
advertised by the client.  But those ciphers are part of certain cipher 
strings, like ALL, DES, SHA etc.  A user/developer not explicitly diabbling
export grade ciphers using !EXP in the cipher string argument may advertise 
those ciphers unintentionally, exposing an app to (yet) future attacks trying 
to mitigate negotiated cipher strength, like FREAK and Logjam attacks did.

The crux is, end-users have no easy way to monitor cipher negotiation
and file bugs against a particular app.  Even if one sets-up his own
test server to check a particular app, that effort seems wasted, since
many apps can benefit from disabling unsafe ciphers in one central piece
code - the SSL library.

As for the planned 16.04 transition, which updates OpenSSL to a version with 
export grade ciphers already disabled, I've heard rumours that no decision has 
been made up until today whether all current devices will take part in the 
transition to 16.04.  If a new attack is made public after support ended for a 
particular device that is still on 15.04, users cannot use that device for
trusted communication anymore.

Yes, disabling export grade ciphers is an investment into the future
anticipating new attacks.  But that future may be tomorrow.  I suggest
acting now, disabling export grade ciphers for the next OTA and be on
the safe(er) side.  At least, reasoning of OpenSSL developers seems to
be along these lines (see link given in original bug report).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1590163

Title:
  disable export grade ciphers

Status in openssl package in Ubuntu:
  New

Bug description:
  # System

  device: Aquaris BQ E4.5
  OS: Ubuntu 15.04, OTA-11 
  OpenSSL version:
$dpkg --list |grep libssl
  ii  libssl1.0.0:armhf1.0.1f-1ubuntu11.6   
  armhfSecure Sockets Layer toolkit 
- shared libraries

  
  # Observed behaviour

  OpenSSL provides export grade ciphers:

$openssl ciphers -v EXP
  EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 
export
  EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 
export
  EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 
export
  EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 
export
  EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  
export
  EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  
export
  EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  
export

  
  # Expected behaviour

  No export grade ciphers are provided in binaries.

  
  # Rationale

  Export grade ciphers are insecure.  By design.  In response to FREAK and
  Logjam attacks, OpenSSL developers disabled export grade ciphers in
  OpenSSL v1.0.1m (March 2015),
  cf. 
.

  To bypass similar future attacks, deactivation of export grade ciphers should 
be
  backported to 15.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1590163/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1590163] Re: disable export grade ciphers

2016-06-07 Thread Seth Arnold

I wonder if this is good way to find the supported ciphers list?

sarnold@sec-trusty-amd64:~/qrt-test-imagemagick$ openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

sarnold@sec-wily-amd64:~/qrt-test-imagemagick$ openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

And a 16.04 LTS system:
$ openssl ciphers -v EXP
Error in cipher list
140090662590104:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
match:ssl_lib.c:1380:


None of these are attempts to -use- the ciphers though.

Thanks

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1590163

Title:
  disable export grade ciphers

Status in openssl package in Ubuntu:
  New

Bug description:
  # System

  device: Aquaris BQ E4.5
  OS: Ubuntu 15.04, OTA-11 
  OpenSSL version:
$dpkg --list |grep libssl
  ii  libssl1.0.0:armhf1.0.1f-1ubuntu11.6   
  armhfSecure Sockets Layer toolkit 
- shared libraries

  
  # Observed behaviour

  OpenSSL provides export grade ciphers:

$openssl ciphers -v EXP
  EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 
export
  EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 
export
  EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 
export
  EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 
export
  EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  
export
  EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  
export
  EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  
export

  
  # Expected behaviour

  No export grade ciphers are provided in binaries.

  
  # Rationale

  Export grade ciphers are insecure.  By design.  In response to FREAK and
  Logjam attacks, OpenSSL developers disabled export grade ciphers in
  OpenSSL v1.0.1m (March 2015),
  cf. 
.

  To bypass similar future attacks, deactivation of export grade ciphers should 
be
  backported to 15.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1590163/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1590163] Re: disable export grade ciphers

[Touch-packages] [Bug 1590163] Re: disable export grade ciphers

[Touch-packages] [Bug 1590163] Re: disable export grade ciphers

[Touch-packages] [Bug 1590163] Re: disable export grade ciphers

4 matches

Site Navigation

Mail list logo

Footer information