[openssl-dev] [openssl.org #4009] bug: Handling of SUITEB* ciphers does not match documentation
Wall, Stephen via RT
rt at openssl.org
Mon Aug 17 15:33:18 UTC 2015
The ciphers man page contains the following text in the description of the SUITEB cipher strings:
If used these cipherstrings[sic] should appear first in the cipher list and anything after them is ignored.
In actual fact, if anything appears after them, they are completely ignored. I.e., "SUITEB192:EXP" is identical to "EXP". Also, "SUITEB128:!NULL:!DES:!MD5" results in a cipher suite failure.
It is fairly trivial to make the code behave as documented, simply add a strncmp() to the relevant if statements in ssl.ciph.c [check_suiteb_cipher_list()], like so:
if (!strcmp(*prule_str, "SUITEB128") ||
!strncmp(*prule_str, "SUITEB128:", 10))
suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
else ...
Please, do not change to documentation to match what the code is currently doing - some projects try to enforce better security by adding "!EXP:!NULL" or similar to the user provided cipher string. Allowing "SUITEB128:!EXP:!NULL" will avoid special handling for Suite B in those cases.
Perhaps a better implementation would be to handle the SUITEB* ciphers more like the FIPS cipher, with names SSL_TXT_SUITEB128, SSL_TXT_SUITEB128ONLY, SSL_TXT_SUITEB192 defined, and algo_strength flags SSL_SUITEB128 and SSL_SUITEB192 defined.
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list