Date: Tue, 04 Mar 2014 13:00:17 +0000 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: oss-security@...ts.openwall.com Subject: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones On 03/04/2014 12:28 PM, John Haxby wrote: > openssl s_client doesn’t report problems, but I wouldn’t expect it to. it should; its peers do: gnutls-cli demo.cmrg.net fails safely closed with: GnuTLS error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). and (from libnss3-tools): tstclnt -h demo.cmrg.net fails safely closed with: tstclnt: read from socket failed: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY: SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. > wget just downloads index.html without any issue. i also consider this a flaw in wget. i suspect you've got wget compiled against openssl, because for me (debian testing), wget fails safely closed with: GnuTLS: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Unable to establish SSL connection. while curl (built against OpenSSL) accepts the insecure connection and proceeds (even leaking cookie information across the weak connection if i ask it to send cookies). fwiw, i reported this problem on the openssl-dev mailing list back in november, following private discussion with openssl upstream.: http://marc.info/?l=openssl-dev&m=138386738312983&w=2 Regards, --dkg Download attachment "signature.asc" of type "application/pgp-signature" (1011 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.