Date: Mon, 7 Jul 2014 14:05:56 +0200 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: default cipher suites in curl On Mon, Jul 07, 2014 at 12:46:42PM +1000, Michael Samuel wrote: > Hi, > > On 2 July 2014 01:44, Marcus Meissner <meissner@...e.de> wrote: > > Clients using the library could however set ciphers via > > an option, but as it would work without, they might not have. > > This will only happen when the server either doesn't support stronger > ciphers or when the server requests it's cipher order be honoured and > chooses export ciphers first. An attacker can't trigger this with SSLv3 > or TLS. I was more thinking of a man in the middle attack during the connection setup. > > Should it get a CVE? > > If a weak cipher was negotiated, it's because the server preferred this and > the client didn't care. There's no trust boundary crossed. " ... and the client did not care" is I think the point here. curl in that form would accept all weak ciphers. > An argument could be made that the clients would rather not establish a > connection at all than negotiate a weak cipher. Not sure if that counts for > CVE or just hardening? Thats my question here :) > Either way, this is a workaround for an OpenSSL bug. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.