IETF Logo Mail Archive

Re: [TLS] The risk of misconfiguration

Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 07 May 2014 07:18 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A87A1A028B for <tls@ietfa.amsl.com>; Wed, 7 May 2014 00:18:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.553
X-Spam-Level:
X-Spam-Status: No, score=-7.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgST86uFJ2JY for <tls@ietfa.amsl.com>; Wed, 7 May 2014 00:18:49 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 3933D1A016D for <tls@ietf.org>; Wed, 7 May 2014 00:18:49 -0700 (PDT)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s477Ii93026798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 7 May 2014 03:18:44 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s476e5ls017785 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 7 May 2014 02:40:06 -0400
Message-ID: <1399444804.30930.61.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 07 May 2014 08:40:04 +0200
In-Reply-To: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com>
References: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/k4ZhfH9lnmnughK-vDkiZ4BomZo
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 07:18:50 -0000

On Tue, 2014-05-06 at 11:48 -0700, Watson Ladd wrote:

> I've sort of singled out OpenSSL here. PolarSSL uses compile-time
> configuration, which in some circumstances doesn't work, but it at
> least provides a somewhat sensible configuration depending on how you
> build it.I've not looked at GnuTLS yet, or cryptlib.
[...]
> Actually configuring OpenSSL to do something reasonable requires
> writing something like
> EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5.
> Good luck coming up with that when you are overly busy, don't realize
> that asking for high security doesn't actually do what you want, and
> don't know anything about crypto.

Just because you saw a red car you cannot infer that all cars are red.
As you describe it this clearly looks like an openssl problem and you
need to report to the openssl developers, not this list.

regards,
Nikos

v2.23.0 | Report a Bug | By Email