tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Disable SSLv3 and set cipher list for bozohttpd



On Dec 9,  8:33pm, tr%vispaul.me@localhost (tr%vispaul.me@localhost) wrote:
-- Subject: Re: Disable SSLv3 and set cipher list for bozohttpd

| 
| > Le 2015-12-08 21:58, christos%astron.com@localhost a écrit :
| >> Why not supply the ! list (the ones you want to remove)... It is 
| >> shorter
| >> and easier to understand and maintain...
| 
| I agree, much simpler!
| 
| On 2015-12-09 08:30, Jean-Yves Migeon wrote:
| > I would dump 3DES and CAMELLIA (less review + hardware acceleration
| > support) and also dump TLS 1.0 (SSL_OP_NO_TLSv1) due to BEAST.
| 
| Good catch, thank you!
| 
| > Le 2015-12-08 23:23, Joerg Sonnenberger a écrit :
| >> I have some serious concerns about the cipher order. AES-GCM should 
| >> only
| >> be used as default choice if there is hardware acceleration for it.
| >> The resistence against timing attacks is very questionable otherwise.
| > 
| > This argument may apply to CBC with lucky 13, somehow. TBH the
| > proposed modification does not make things worse compared to the
| > previous state
| 
| This discussion made something apparent to me that I had not considered 
| before.
| 
| Perhaps the cipher list should be supplied by a command line argument 
| instead of
| being compiled into base so that it can be chosen at runtime?
| 
| If that sounds like a good choice, I will send an updated patch.

The command line could override the default "sane" built-in.

christos


Home | Main Index | Thread Index | Old Index