[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] SSL Poodle attack
|
From: |
Daniel Stenberg |
|
Subject: |
Re: [Bug-wget] SSL Poodle attack |
|
Date: |
Wed, 15 Oct 2014 23:37:13 +0200 (CEST) |
|
User-agent: |
Alpine 2.00 (DEB 1167 2008-08-23) |
On Wed, 15 Oct 2014, Daniel Kahn Gillmor wrote:
(e.g. [for OpenSSL] if the system default is always explicitly referenced as
DEFAULT and we decide that we never want wget to use RC4, then DEFAULT:-RC4
is a sensible approach, because it allows OpenSSL to update DEFAULT and wget
gains those improvements automatically)
I disagree. OpenSSL is but a TLS library that provides functionality - and it
does so rather conservatively in my view. It does not necessarily set the
security standard for what applications should aim for in a good manner.
SSL_DEFAULT_CIPHER_LIST for OpenSSL in my debian unstable (== fairly recent
version 1.0.1i) says "ALL:!aNULL:!eNULL:!SSLv2".
That means it allows EXPORT40, EXPORT56 and LOW for example (if I'm not
missing something), in addition to RC4. Those are terribly weak ciphers.
OpenSSL ciphers list is at https://www.openssl.org/docs/apps/ciphers.html
--
/ daniel.haxx.se
- [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/15
- Re: [Bug-wget] SSL Poodle attack, Petr Pisar, 2014/10/15
- Re: [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/16
- [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/16
- Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Giuseppe Scrivano, 2014/10/19
- Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/19