[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] cipher_list string when using OpenSSL
From: |
Jeffrey Walton |
Subject: |
Re: [Bug-wget] cipher_list string when using OpenSSL |
Date: |
Thu, 19 Oct 2017 04:02:53 -0400 |
I think this is the change that would facilitate the cipher_list
discussed below:
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -267,13 +267,42 @@ ssl_init (void)
/* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
* Since we want a good protection, we also use HIGH (that excludes
MD4 ciphers and some more)
+ * !kRSA removes RSA key exchange (i.e., key transport), but allows
RSA digital signatures.
+ * With RSA key exchange removed, only key agreement schemes remain
(i.e., PFS schemes).
*/
if (opt.secure_protocol == secure_protocol_pfs)
- SSL_CTX_set_cipher_list (ssl_ctx,
"HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden");
+ SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:!aNULL:!kRSA:!RC4:!MD5:!SRP:!PSK");
+ else
+ SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK");
Jeff
On Wed, Oct 18, 2017 at 6:57 PM, Jeffrey Walton <address@hidden> wrote:
> Hi Everyone,
>
> I believe this has some room for improvement (from src/openssl.c):
>
> "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"
>
> I think it would be a good idea to provide a `--cipher_list` option to
> allow the user to specify it. It might also be prudent to allow the
> string to be specified in `.wgetrc`.
>
> Regarding the default string, its 2017, and this is probably closer to
> what should be used by default:
>
> "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK:!kRSA"
>
> The "!kRSA" means RSA cannot be used for key exchange (i.e., RSA key
> transport), but can be used for digital signatures. MD5 is probably
> another algorithm that should be sunsetted at this point in time
> (though I am not aware of a HMAC/MD5 attack that can be carried out in
> TCP's 2MSL re-transmit time frame).
>
> I use the same cipher_list on the servers under my control. I've never
> received a complaint from them. They cipher_list also helps get one of
> those A+ reports from the various SSL scanners.
>
> Jeff