Bug#770399: libio-socket-ssl-perl: Crappy default cipher list
Kurt Roeckx
kurt at roeckx.be
Thu Nov 20 23:22:34 UTC 2014
Package: libio-socket-ssl-perl
Version: 2.002-1
Severity: important
Hi,
I was just looking at why lwp is behaving with https like it is,
and it seems the cipher list being set up is really crappy.
It contains:
============
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
#SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults'
SSL_npn_protocols => undef, # meaning depends whether on server or client side
SSL_cipher_list =>
'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '.
'EDH ALL +SHA +3DES +RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP',
);
my %DEFAULT_SSL_CLIENT_ARGS = (
%DEFAULT_SSL_ARGS,
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_ca_file => undef,
SSL_ca_path => undef,
# older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
# http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
# http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
# Debian works around this by disabling TLSv1_2 on the client side
# Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet
# stays small enough
# The following list is taken from IE11, except that we don't do RC4-MD5,
# RC4-SHA is already bad enough. Also, we have a different sort order
# compared to IE11, because we put ciphers supporting forward secrecy on top
SSL_cipher_list => join(" ",
qw(
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA256
DHE-DSS-AES256-SHA
AES128-SHA256
AES128-SHA
AES256-SHA256
AES256-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
RC4-SHA
),
# just to make sure, that we don't accidentely add bad ciphers above
"!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
)
);
==========
I have no idea who selected those ciphers, but that list doesn't
make any sense. For instance it doesn't contain any DHE ciphers
except DSS ciphers which nobody uses.
Openssl in Debian also has never disabled TLSv1.2 in either the
client or server. Ubuntu did disable it by default I think. This
255 byte limit thing is also being worked around by having an
option that sends more than 512 bytes.
If you really want to specify some cipher list, can I suggest you
either go for something simple as:
ALL:!eNULL:!aNULL:!EXPORT:!LOW:!PSK:!SRP:!kDH:+RC4
Or go with one of the suggestions from bettercrypto.org.
Kurt
More information about the pkg-perl-maintainers
mailing list