[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] cipher_list string when using OpenSSL

From: Jeffrey Walton
Subject: Re: [Bug-wget] cipher_list string when using OpenSSL
Date: Thu, 19 Oct 2017 04:02:53 -0400

I think this is the change that would facilitate the cipher_list
discussed below:

--- a/src/openssl.c
+++ b/src/openssl.c
@@ -267,13 +267,42 @@ ssl_init (void)

   /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
    * Since we want a good protection, we also use HIGH (that excludes
MD4 ciphers and some more)
+   * !kRSA removes RSA key exchange (i.e., key transport), but allows
RSA digital signatures.
+   * With RSA key exchange removed, only key agreement schemes remain
(i.e., PFS schemes).
   if (opt.secure_protocol == secure_protocol_pfs)
-    SSL_CTX_set_cipher_list (ssl_ctx,
+    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:!aNULL:!kRSA:!RC4:!MD5:!SRP:!PSK");
+  else
+    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK");


On Wed, Oct 18, 2017 at 6:57 PM, Jeffrey Walton <address@hidden> wrote:
> Hi Everyone,
> I believe this has some room for improvement (from src/openssl.c):
>     "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"
> I think it would be a good idea to provide a `--cipher_list` option to
> allow the user to specify it. It might also be prudent to allow the
> string to be specified in `.wgetrc`.
> Regarding the default string, its 2017, and this is probably closer to
> what should be used by default:
>     "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK:!kRSA"
> The "!kRSA" means RSA cannot be used for key exchange (i.e., RSA key
> transport), but can be used for digital signatures. MD5 is probably
> another algorithm that should be sunsetted at this point in time
> (though I am not aware of a HMAC/MD5 attack that can be carried out in
> TCP's 2MSL re-transmit time frame).
> I use the same cipher_list on the servers under my control. I've never
> received a complaint from them. They cipher_list also helps get one of
> those A+ reports from the various SSL scanners.
> Jeff

reply via email to

[Prev in Thread] Current Thread [Next in Thread]