disable export grade ciphers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
# System
device: Aquaris BQ E4.5
OS: Ubuntu 15.04, OTA-11
OpenSSL version:
$dpkg --list |grep libssl
ii libssl1.0.0:armhf 1.0.1f-1ubuntu11.6 armhf Secure Sockets Layer toolkit - shared libraries
# Observed behaviour
OpenSSL provides export grade ciphers:
$openssl ciphers -v EXP
EXP-EDH-
EXP-EDH-
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
# Expected behaviour
No export grade ciphers are provided in binaries.
# Rationale
Export grade ciphers are insecure. By design. In response to FREAK and
Logjam attacks, OpenSSL developers disabled export grade ciphers in
OpenSSL v1.0.1m (March 2015),
cf. <URL:https:/
To bypass similar future attacks, deactivation of export grade ciphers should be
backported to 15.04.
information type: | Private Security → Public |
Changed in openssl (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
I wonder if this is good way to find the supported ciphers list?
sarnold@ sec-trusty- amd64:~ /qrt-test- imagemagick$ openssl ciphers -v EXP RSA-DES- CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export DSS-DES- CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-EDH-
EXP-EDH-
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
sarnold@ sec-wily- amd64:~ /qrt-test- imagemagick$ openssl ciphers -v EXP RSA-DES- CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export DSS-DES- CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-EDH-
EXP-EDH-
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
And a 16.04 LTS system: :error: 1410D0B9: SSL routines: SSL_CTX_ set_cipher_ list:no cipher match:ssl_ lib.c:1380:
$ openssl ciphers -v EXP
Error in cipher list
140090662590104
None of these are attempts to -use- the ciphers though.
Thanks