Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Jul 2014 14:05:56 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: default cipher suites in curl

On Mon, Jul 07, 2014 at 12:46:42PM +1000, Michael Samuel wrote:
> Hi,
> 
> On 2 July 2014 01:44, Marcus Meissner <meissner@...e.de> wrote:
> > Clients using the library could however set ciphers via
> > an option, but as it would work without, they might not have.
> 
> This will only happen when the server either doesn't support stronger
> ciphers or when the server requests it's cipher order be honoured and
> chooses export ciphers first.   An attacker can't trigger this with SSLv3
> or TLS.

I was more thinking of a man in the middle attack during the connection
setup.

> > Should it get a CVE?
> 
> If a weak cipher was negotiated, it's because the server preferred this and
> the client didn't care.  There's no trust boundary crossed.

" ... and the client did not care" is I think the point here.

curl in that form would accept all weak ciphers.

> An argument could be made that the clients would rather not establish a
> connection at all than negotiate a weak cipher.  Not sure if that counts for
> CVE or just hardening?

Thats my question here :)

> Either way, this is a workaround for an OpenSSL bug.

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ