bin/51278: bozohttpd limited cipher sets after upgrade to NetBSD 7.0.1

[k+netbsd%karlos.cz@localhost]

>Number:         51278
>Category:       bin
>Synopsis:       bozohttpd limited cipher sets after upgrade to NetBSD 7.0.1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 26 14:10:01 +0000 2016
>Originator:     Karel Hendrych
>Release:        
>Organization:
>Environment:
NetBSD shell.jnpr.cz 7.0.1 NetBSD 7.0.1 (GENERIC.201605221355Z) amd64
>Description:
After upgrading to NetBSD 7.0.1 bozohttpd seem to have limited cipher sets. No DH sets. Without -z parameter only following are working:

OK:   AES256-GCM-SHA384
OK:   AES256-SHA256
OK:   AES128-GCM-SHA256
OK:   AES128-SHA256

-z HIGH parameter:
OK:   AES256-GCM-SHA384
OK:   AES256-SHA256
OK:   AES256-SHA
OK:   CAMELLIA256-SHA
OK:   AES128-GCM-SHA256
OK:   AES128-SHA256
OK:   AES128-SHA
OK:   CAMELLIA128-SHA
OK:   DES-CBC3-SHA

-z ALL:
OK:   AES256-GCM-SHA384
OK:   AES256-SHA256
OK:   AES256-SHA
OK:   CAMELLIA256-SHA
OK:   AES128-GCM-SHA256
OK:   AES128-SHA256
OK:   AES128-SHA
OK:   SEED-SHA
OK:   CAMELLIA128-SHA
OK:   IDEA-CBC-SHA
OK:   RC4-SHA
OK:   RC4-MD5
OK:   DES-CBC3-SHA

Anyone seeing the same? Didn't dig deeper than quick black box like test.

Thanks!
 



>How-To-Repeat:
Install SSL (in my case RSA) certificate and try:
for i in `openssl ciphers -v | cut -f 1 -d " "`; do echo | openssl s_client -host localhost -port 443 -cipher $i &> /dev/null && echo "OK:   $i" || echo "FAIL: $i"; done
>Fix: