> From: openssl-users On Behalf Of Viktor Dukhovni > Sent: Monday, March 09, 2015 12:47 > On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote: > > "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH" > > with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 > and 1024? > You only need worry about the original exports retronymed EXPORT40. EXPORT56 was a draft RFC that was not adopted, and the SSL_CIPHER blocks still in source are disabled by a macro hardcoded in tls1.h (q.v.). "EXP1024-blah" would be the names of the nonexistent EXPORT56 ciphers. > Note that doing so does not address the FREAK CVE in SSL clients. Even > with EXPORT ciphers disabled they are still vulnerable, unless patched! > Yes. > As for your proposed cipherlist it is too exotic. > > * ALL:!ADH is simply DEFAULT. DEFAULT already prefers PFS (including > ECDHE) and is sorted by strength. > For 1.0.0+ DEFAULT is ALL:!aNULL:!eNULL:!SSLv2; !aNULL disables both ADH and AECDH. (0.9.8 excludes all ECC, including AECDH, unless ECCdraft.) !eNULL actually has no effect because ALL already excludes it; if you want eNULL (you shouldn't) you need the absurd-looking COMPLEMENTOFALL. > * DES is a subset of LOW > In fact DES is the only algorithm in LOW. (In math a set is a subset of itself and also a superset of itself but laypeople often don't expect that.) > * I would also disable SSLv2, which is a subset of MD5, so I generally > disable that instead which also drops the SSLv3's RC4-MD5 leaving RC4- > SHA > for interop. Note for many applications RC4 is no longer supposed to be > used, consider whether disabling RC4 is appropriate for you. > And disabling SSLv2 *ciphers* has the good effect of disabling SSLv2 *protocol* even if old or poor code calls SSLv23 and doesn't explicitly OP_NO_SSLv2. > Therefore, I'd suggest: > > DEFAULT:!EXPORT:!LOW:!MD5 > > Which keeps things simple by starting with DEFAULT and removing > what you want to disable. >