Re: [TLS] The risk of misconfiguration
Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 06 May 2014 23:30 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D13A1A0662 for <tls@ietfa.amsl.com>; Tue, 6 May 2014 16:30:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, J_CHICKENPOX_24=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MOiybh17yf2l for <tls@ietfa.amsl.com>; Tue, 6 May 2014 16:30:11 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 42CB61A0643 for <tls@ietf.org>; Tue, 6 May 2014 16:30:11 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E2BF02AA9FF; Tue, 6 May 2014 23:30:05 +0000 (UTC)
Date: Tue, 06 May 2014 23:30:05 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140506233005.GF27883@mournblade.imrryr.org>
References: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com> <53692FC2.1060009@akr.io> <8b505f49d3f846ddac8b26964e330622@BL2PR03MB419.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <8b505f49d3f846ddac8b26964e330622@BL2PR03MB419.namprd03.prod.outlook.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NlQzYHQjLJC8kcz-T0OMvPe6Tx4
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 23:30:12 -0000
On Tue, May 06, 2014 at 10:48:46PM +0000, Andrei Popov wrote: > I have nothing to say in support of the EXPORT ciphers:) Yes, and throw in LOW as well: EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 These (EXPORT and LOW) fortunately seem to have some time ago outlived their useful life. They can I think be disabled, rather than offered at the bottom of the client cipherlist, without degrading even opportunistic security where handshake-failure leads to cleartext fallback. This would leave OpenSSL with eNULL, MEDIUM and HIGH. HIGH includes 3DES, presumably in part because this is a historical MUST implement for interoperability cipher-suite. In practice that role was and to some extent still is actually played by RC4. -- Viktor.
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration James Cloos
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Andrei Popov
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Ralph Holz
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Fedor Brunner
- Re: [TLS] The risk of misconfiguration Nikos Mavrogiannopoulos
- Re: [TLS] The risk of misconfiguration Warren Kumari
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Alyssa Rowan
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Salz, Rich
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Nico Williams
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Salz, Rich
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Manuel Pégourié-Gonnard
- Re: [TLS] The risk of misconfiguration Yoav Nir
- Re: [TLS] The risk of misconfiguration Salz, Rich
- Re: [TLS] The risk of misconfiguration Martin Rex
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Martin Thomson
- Re: [TLS] The risk of misconfiguration Stephen Farrell
- Re: [TLS] The risk of misconfiguration Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] The risk of misconfiguration Manuel Pégourié-Gonnard
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Russ Housley
- Re: [TLS] The risk of misconfiguration Bill Frantz
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Daniel Kahn Gillmor
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration (Muphry's … Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Stephen Farrell
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni