[openssl-users] How to disable all EXPORT Ciphers?
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Mar 10 10:53:40 UTC 2015
On Tue, Mar 10, 2015 at 08:44:57AM +0000, Christian Georg wrote:
> I understand that the downgrading of the ciphersuites is a bug in the
> library that should be patched. Doing this can however be dificult when
> talking about mobile apps that use OS Libraries. From my understanding
> the bug only works within the limit of chipersuites permitted by both the
> client and the server.
That understanding is I believe wrong. Only the server needs to
support EXPORT ciphers. The client just needs a vulnerable library.
> Therefore my asumption is if the server side does only offer strong ciphers
> I do not have to worry too much about the ability to exploit the FREAK
> vulnerability e.g. in android clients.
Yes, if the server disables EXPORT ciphers the clients are safe
with *that* server, but will remain vulnerable with other servers.
The clients do need to be patched.
--
Viktor.
More information about the openssl-users
mailing list