Bug#770399: libio-socket-ssl-perl: Crappy default cipher list

Kurt Roeckx kurt at roeckx.be
Thu Nov 20 23:22:34 UTC 2014 

Package: libio-socket-ssl-perl
Version: 2.002-1
Severity: important

Hi,

I was just looking at why lwp is behaving with https like it is,
and it seems the cipher list being set up is really crappy.

It contains:
============
# global defaults
my %DEFAULT_SSL_ARGS = (
    SSL_check_crl => 0,
    SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
    SSL_verify_callback => undef,
    SSL_verifycn_scheme => undef,  # fallback cn verification
    SSL_verifycn_publicsuffix => undef,  # fallback default list verification
    #SSL_verifycn_name => undef,   # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults'
    SSL_npn_protocols => undef,    # meaning depends whether on server or client side
    SSL_cipher_list =>
        'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '.
        'EDH ALL +SHA +3DES +RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP',
);

my %DEFAULT_SSL_CLIENT_ARGS = (
    %DEFAULT_SSL_ARGS,
    SSL_verify_mode => SSL_VERIFY_PEER,

    SSL_ca_file => undef,
    SSL_ca_path => undef,

    # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
    # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
    # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
    # Debian works around this by disabling TLSv1_2 on the client side
    # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet
    # stays small enough
    # The following list is taken from IE11, except that we don't do RC4-MD5,
    # RC4-SHA is already bad enough. Also, we have a different sort order
    # compared to IE11, because we put ciphers supporting forward secrecy on top

    SSL_cipher_list => join(" ",
        qw(
            ECDHE-ECDSA-AES128-GCM-SHA256
            ECDHE-ECDSA-AES128-SHA256
            ECDHE-ECDSA-AES256-GCM-SHA384
            ECDHE-ECDSA-AES256-SHA384
            ECDHE-ECDSA-AES128-SHA
            ECDHE-ECDSA-AES256-SHA
            ECDHE-RSA-AES128-SHA256
            ECDHE-RSA-AES128-SHA
            ECDHE-RSA-AES256-SHA
            DHE-DSS-AES128-SHA256
            DHE-DSS-AES128-SHA
            DHE-DSS-AES256-SHA256
            DHE-DSS-AES256-SHA
            AES128-SHA256
            AES128-SHA
            AES256-SHA256
            AES256-SHA
            EDH-DSS-DES-CBC3-SHA
            DES-CBC3-SHA
            RC4-SHA
        ),
        # just to make sure, that we don't accidentely add bad ciphers above
        "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
    )
);
==========

I have no idea who selected those ciphers, but that list doesn't
make any sense.  For instance it doesn't contain any DHE ciphers
except DSS ciphers which nobody uses.

Openssl in Debian also has never disabled TLSv1.2 in either the
client or server.  Ubuntu did disable it by default I think.  This
255 byte limit thing is also being worked around by having an
option that sends more than 512 bytes.

If you really want to specify some cipher list, can I suggest you
either go for something simple as:
ALL:!eNULL:!aNULL:!EXPORT:!LOW:!PSK:!SRP:!kDH:+RC4

Or go with one of the suggestions from bettercrypto.org.


Kurt

More information about the pkg-perl-maintainers mailing list