[openssl-users] How to disable all EXPORT Ciphers?

Viktor Dukhovni openssl-users at dukhovni.org
Tue Mar 10 10:53:40 UTC 2015

On Tue, Mar 10, 2015 at 08:44:57AM +0000, Christian Georg wrote:

> I understand that the downgrading of the ciphersuites is a bug in the
> library that should be patched. Doing this can however be dificult when
> talking about mobile apps that use OS Libraries.  From my understanding
> the bug only works within the limit of chipersuites permitted by both the
> client and the server.

That understanding is I believe wrong.  Only the server needs to
support EXPORT ciphers.  The client just needs a vulnerable library.

> Therefore my asumption is if the server side does only offer strong ciphers
> I do not have to worry too much about the ability to exploit the FREAK
> vulnerability e.g. in android clients.

Yes, if the server disables EXPORT ciphers the clients are safe
with *that* server, but will remain vulnerable with other servers.
The clients do need to be patched.


More information about the openssl-users mailing list