bc979 at lafn.org
Fri Mar 6 23:58:17 UTC 2015
> On 3 March 2015, at 23:21, Doug Hardie <bc979 at lafn.org> wrote:
> The default list of ciphers is quite extensive and includes some that are apparently causing some potential security issues. I have a number of applications that use OpenSSL and many don’t have the code to restrict the list. Fixing all that would take quite a bit of work. However, looking into /usr/include/openssl/ssl.h I find a definition for the SSL_DEFAULT_CIPHER_LIST. The comments indicate that that list is the one used when the application doesn’t specify anything. I changed its definition to:
> #define SSL_DEFAULT_CIPHER_LIST "TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH:
> However, s_connect will still create a connection with the export ciphers. I tried adding !EXPORT to that list and it had no effect. Is the definition actually used by openssl or is it just there for documentation?
Not hearing anything on this, I suspect it’s not very well understood. I have started updating the various servers/clients that use SSL/TLS. The one that has me completely stumped is sendmail. There is a web page which provides instructions "http://novosial.org/sendmail/cipherlist/index.html”. However, when I follow them, I can still establish a connection and deliver mail using the export ciphers.
Has anyone successfully restricted the sendmail ciphers?
More information about the freebsd-questions