How to disable all EXPORT Ciphers?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:

> How to I disable all EXPORT Ciphers from OpenSSL?
> 
> Will the use of string "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"
> with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024?

Note that doing so does not address the FREAK CVE in SSL clients.  Even
with EXPORT ciphers disabled they are still vulnerable, unless patched!

As for your proposed cipherlist it is too exotic.

    * ALL:!ADH is simply DEFAULT.  DEFAULT already prefers PFS (including
      ECDHE) and is sorted by strength.

    * DES is a subset of LOW 

    * I would also disable SSLv2, which is a subset of MD5, so I generally
      disable that instead which also drops the SSLv3's RC4-MD5 leaving RC4-SHA
      for interop.  Note for many applications RC4 is no longer supposed to be
      used, consider whether disabling RC4 is appropriate for you.

Therefore, I'd suggest:

	DEFAULT:!EXPORT:!LOW:!MD5

Which keeps things simple by starting with DEFAULT and removing
what you want to disable.

-- 
	Viktor.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux