[openssl-users] How to disable all EXPORT Ciphers?
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Mar 9 16:46:45 UTC 2015
On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
> How to I disable all EXPORT Ciphers from OpenSSL?
>
> Will the use of string "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"
> with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024?
Note that doing so does not address the FREAK CVE in SSL clients. Even
with EXPORT ciphers disabled they are still vulnerable, unless patched!
As for your proposed cipherlist it is too exotic.
* ALL:!ADH is simply DEFAULT. DEFAULT already prefers PFS (including
ECDHE) and is sorted by strength.
* DES is a subset of LOW
* I would also disable SSLv2, which is a subset of MD5, so I generally
disable that instead which also drops the SSLv3's RC4-MD5 leaving RC4-SHA
for interop. Note for many applications RC4 is no longer supposed to be
used, consider whether disabling RC4 is appropriate for you.
Therefore, I'd suggest:
DEFAULT:!EXPORT:!LOW:!MD5
Which keeps things simple by starting with DEFAULT and removing
what you want to disable.
--
Viktor.
More information about the openssl-users
mailing list