On Sat, Feb 17, 2007 at 11:45:58PM -0500, Victor Duchovni wrote:
> Currently the OpenSSL "DEFAULT" cipherlist serves two functions:
>
> - Sort the cipherlist to put the strongest, most desirable algorithms
> first.
>
> - Exclude ciphers that most applications should not be exposed to.
>
> Applications that don't need/want ciphers outside the "DEFAULT" list
> can further restrict the cipher choice with "DEFAULT:!this:!that" ...
>
> Things get more complicated for applications that want to support
> anonymous ciphers but still maintain a sensible cipher order: [...]
... since once you've used "DEFAULT", which involves "!ADH" or
"!ADH:!AECDH" (both of which really should be "!aNULL"), you cannot
re-enable anonymous ciphersuites.
("!this" unlike "-this" thoroughly disables the ciphersuite so that
even "!this:this" cannot add it. E.g., "RSA:!RSA:RSA" is empty,
whereas "RSA:-RSA:RSA" is equivalent to "RSA". It is intentional
that DEFAULT is that strict. In fact, DEFAULT should be just as
strict about ciphersuites without encryption, which it doesn't enable
but doesn't thoroughly disable either -- "DEFAULT:RSA" will enable
unencrypted authentication-only ciphersuites! This is a bug to
be fixed.)
> I am therefore asking the team to consider splitting the two features:
>
> - Sensible default order
>
> - Non-default cipher exclusion
>
> into two parts. The first part (ordering), should I believe be a feature
> of the "ALL" cipher_alias:
>
> ALL = preferred:all:+low-pref:@STRENGTH
>
> (preferred = AES:CAMELLIA)
> (all = legacy "ALL" cipher list)
> (low-pref = +aECDH:+kRSA:+RC4)
>
> an then "DEFAULT" is simply a filter on the already ordered "ALL" list:
>
> DEFAULT = "ALL:!aNULL".
>
> This would allow applications using "ALL" (or legacy ALL:+RC4:@STRENGTH
> which would be an equivalent more cumbersome way of getting the same
> result) to portably (release to release) arrive at a sensible cipherlist
> order.
Yes, this makes sense. Currently, ciphers start being ordered by ID,
which is rather arbitrary. Here's a patch that uses a reasonable
order for "ALL" instead, and also includes "!eNULL" in "DEFAULT".
This will go into the 0.9.9 branch.
Bodo
+++ ssl/ssl.h 19 Feb 2007 18:39:53 -0000
@@ -315,8 +315,13 @@
/* The following cipher list is used by default.
* It also is substituted when an application-defined cipher list string
* starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST
"AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH"
-/* low priority for ciphersuites w/o forwared secrecy (fixed ECDH, RSA key
exchange), and for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL"
+/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+ * starts with a reasonable order, and all we have to do for DEFAULT is
+ * throwing out anonymous and unencrypted ciphersuites!
+ * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
+ * some of them.)
+ */
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
#define SSL_SENT_SHUTDOWN 1
Index: ssl/ssl_ciph.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl_ciph.c,v
retrieving revision 1.66
diff -u -r1.66 ssl_ciph.c
--- ssl/ssl_ciph.c 17 Feb 2007 06:45:37 -0000 1.66
+++ ssl/ssl_ciph.c 19 Feb 2007 18:39:53 -0000
@@ -1120,6 +1120,40 @@
disabled_mkey, disabled_auth, disabled_enc,
disabled_mac, disabled_ssl,
co_list, &head, &tail);
+
+ /* Now arrange all ciphers by preference: */
+
+ /* Temporarily enabled AES first (preferred cipher) */
+ ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head,
&tail);
+
+ /* Temporarily enable everything else */
+ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
&tail);
+
+ /* Move anonymous ciphers to the end. Usually, these will remain
disabled.
+ * (For applications that allow them, they aren't too bad, but we prefer
+ * authenticated ciphers.) */
+ ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1,
&head, &tail);
+
+ /* Move ciphers without forward secrecy to then end */
+ ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1,
&head, &tail);
+ ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1,
&head, &tail);
+ ssl_cipher_apply_rule(0, 0, SSL_kPSK, 0, 0, 0, 0, CIPHER_ORD, -1,
&head, &tail);
+
+ /* RC4 is sort-of broken -- move the the end */
+ ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
&tail);
+
+ /* Now sort by symmetric encryption strength. The above ordering
remains
+ * in force within each class */
+ if (!ssl_cipher_strength_sort(&head, &tail))
+ {
+ OPENSSL_free(co_list);
+ return NULL;
+ }
+
+ /* Now disable everything (maintaining the ordering!) */
+ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
&tail);
+
+
/*
* We also need cipher aliases for selecting based on the rule_str.
* There might be two types of entries in the rule_str: 1) names
@@ -1167,6 +1201,7 @@
OPENSSL_free(co_list);
return(NULL);
}
+
/*
* Allocate new "cipherstack" for the result, return with error
* if we cannot get one.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
