Re: Disable SSLv3 and set cipher list for bozohttpd

To: tech-security%netbsd.org@localhost
Subject: Re: Disable SSLv3 and set cipher list for bozohttpd
From: christos%astron.com@localhost (Christos Zoulas)
Date: Tue, 8 Dec 2015 20:58:53 +0000 (UTC)

In article <504100d17986e1e22da8954be8153879%vispaul.me@localhost>,
 <tr%vispaul.me@localhost> wrote:
>
>Hi tech-security,
>
>I noticed that bozohttpd doesn't disable SSLv3, and it doesn't
>set a cipher list.  Making the changes below improved my Qualys
>SSL Test[1] score from "C" to "A-".
>
>I chose an intermediate compatibility cipher list as suggested by
>Mozilla[2] and included it below. I'm sure that the patch below
>needs some work (if its even usable as-is) but my main intention
>was to start a discussion and find the best way to implement the
>change if it makes sense.
>
>Best,
>Travis Paul
>
>[1] https://www.ssllabs.com/ssltest/
>[2] 
>https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
>
>Index: ssl-bozo.c
>===================================================================
>RCS file: /cvsroot/src/libexec/httpd/ssl-bozo.c,v
>retrieving revision 1.18
>diff -u -r1.18 ssl-bozo.c
>--- ssl-bozo.c  17 Jul 2014 06:27:52 -0000      1.18
>+++ ssl-bozo.c  8 Dec 2015 02:16:13 -0000
>@@ -48,6 +48,10 @@
>  #define USE_ARG(x)     /*LINTED*/(void)&(x)
>  #endif
>
>+#ifndef BOZO_SSL_CIPHERS
>+#define BOZO_SSL_CIPHERS 
>"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3
-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
>+#endif

Why not supply the ! list (the ones you want to remove)... It is shorter
and easier to understand and maintain...

christos

Follow-Ups:
- Re: Disable SSLv3 and set cipher list for bozohttpd
  - From: Jean-Yves Migeon

References:
- Disable SSLv3 and set cipher list for bozohttpd
  - From: tr

Prev by Date: Disable SSLv3 and set cipher list for bozohttpd
Next by Date: Re: Disable SSLv3 and set cipher list for bozohttpd
Previous by Thread: Disable SSLv3 and set cipher list for bozohttpd
Next by Thread: Re: Disable SSLv3 and set cipher list for bozohttpd
Indexes:

Home | Main Index | Thread Index | Old Index