The ciphers man page contains the following text in the description of the
SUITEB cipher strings:
If used these cipherstrings[sic] should appear first in the cipher list
and anything after them is ignored.
In actual fact, if anything appears after them, they are completely ignored.
I.e., "SUITEB192:EXP" is identical to "EXP". Also, "SUITEB128:!NULL:!DES:!MD5"
results in a cipher suite failure.
It is fairly trivial to make the code behave as documented, simply add a
strncmp() to the relevant if statements in ssl.ciph.c
[check_suiteb_cipher_list()], like so:
if (!strcmp(*prule_str, "SUITEB128") ||
!strncmp(*prule_str, "SUITEB128:", 10))
suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
else ...
Please, do not change to documentation to match what the code is currently
doing - some projects try to enforce better security by adding "!EXP:!NULL" or
similar to the user provided cipher string. Allowing "SUITEB128:!EXP:!NULL"
will avoid special handling for Suite B in those cases.
Perhaps a better implementation would be to handle the SUITEB* ciphers more
like the FIPS cipher, with names SSL_TXT_SUITEB128, SSL_TXT_SUITEB128ONLY,
SSL_TXT_SUITEB192 defined, and algo_strength flags SSL_SUITEB128 and
SSL_SUITEB192 defined.
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
