Adam Back wrote: > > It seems that if you enable ADH but disable MEDIUM ciphersuites, they > get left on anyway. > > I guess not too many people enable ADH, but there are scenarios where > it is useful, and so this seems like a security bug. > > What I did: > > % openssl s_server -state -CApath certs -cipher 'ALL' > > and connect to it with > > % openssl s_client -cipher "ADH:\!EXP:\!LOW:!'MEDIUM" > > then the server prints: > > Shared ciphers:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:ADH-RC4-MD5 > > ADH-DES-CBC-SHA is single DES and so fails LOW, and shouldn't be in > the list.
Quite so, and this will fix it: Index: ssl/s3_lib.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/s3_lib.c,v retrieving revision 1.57 diff -u -r1.57 s3_lib.c --- ssl/s3_lib.c 2001/10/20 17:56:35 1.57 +++ ssl/s3_lib.c 2002/03/06 16:41:55 @@ -196,7 +196,7 @@ SSL3_TXT_ADH_DES_64_CBC_SHA, SSL3_CK_ADH_DES_64_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_LOW, 0, 56, 56, Just committing now. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]