Adam Back wrote:
>
> It seems that if you enable ADH but disable MEDIUM ciphersuites, they
> get left on anyway.
>
> I guess not too many people enable ADH, but there are scenarios where
> it is useful, and so this seems like a security bug.
>
> What I did:
>
> % openssl s_server -state -CApath certs -cipher 'ALL'
>
> and connect to it with
>
> % openssl s_client -cipher "ADH:\!EXP:\!LOW:!'MEDIUM"
>
> then the server prints:
>
> Shared ciphers:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:ADH-RC4-MD5
>
> ADH-DES-CBC-SHA is single DES and so fails LOW, and shouldn't be in
> the list.
Quite so, and this will fix it:
Index: ssl/s3_lib.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/s3_lib.c,v
retrieving revision 1.57
diff -u -r1.57 s3_lib.c
--- ssl/s3_lib.c 2001/10/20 17:56:35 1.57
+++ ssl/s3_lib.c 2002/03/06 16:41:55
@@ -196,7 +196,7 @@
SSL3_TXT_ADH_DES_64_CBC_SHA,
SSL3_CK_ADH_DES_64_CBC_SHA,
SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3,
- SSL_NOT_EXP,
+ SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
Just committing now.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
