[openssl-users] How to disable all EXPORT Ciphers?
dthompson at prinpay.com
Tue Mar 10 21:07:47 UTC 2015
> From: openssl-users On Behalf Of Viktor Dukhovni
> Sent: Monday, March 09, 2015 12:47
> On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
> > "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"
> > with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56
> and 1024?
You only need worry about the original exports retronymed EXPORT40.
EXPORT56 was a draft RFC that was not adopted, and the SSL_CIPHER
blocks still in source are disabled by a macro hardcoded in tls1.h (q.v.).
"EXP1024-blah" would be the names of the nonexistent EXPORT56 ciphers.
> Note that doing so does not address the FREAK CVE in SSL clients. Even
> with EXPORT ciphers disabled they are still vulnerable, unless patched!
> As for your proposed cipherlist it is too exotic.
> * ALL:!ADH is simply DEFAULT. DEFAULT already prefers PFS (including
> ECDHE) and is sorted by strength.
For 1.0.0+ DEFAULT is ALL:!aNULL:!eNULL:!SSLv2; !aNULL disables both
ADH and AECDH. (0.9.8 excludes all ECC, including AECDH, unless ECCdraft.)
!eNULL actually has no effect because ALL already excludes it; if you want
eNULL (you shouldn't) you need the absurd-looking COMPLEMENTOFALL.
> * DES is a subset of LOW
In fact DES is the only algorithm in LOW. (In math a set is a subset of
and also a superset of itself but laypeople often don't expect that.)
> * I would also disable SSLv2, which is a subset of MD5, so I generally
> disable that instead which also drops the SSLv3's RC4-MD5 leaving
> for interop. Note for many applications RC4 is no longer supposed
> used, consider whether disabling RC4 is appropriate for you.
And disabling SSLv2 *ciphers* has the good effect of disabling SSLv2
even if old or poor code calls SSLv23 and doesn't explicitly OP_NO_SSLv2.
> Therefore, I'd suggest:
> Which keeps things simple by starting with DEFAULT and removing
> what you want to disable.
More information about the openssl-users