[Bug 1590163] Re: disable export grade ciphers

Seth Arnold 1590163 at bugs.launchpad.net
Tue Jun 7 23:16:03 UTC 2016 

I wonder if this is good way to find the supported ciphers list?

sarnold at sec-trusty-amd64:~/qrt-test-imagemagick$ openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

sarnold at sec-wily-amd64:~/qrt-test-imagemagick$ openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

And a 16.04 LTS system:
$ openssl ciphers -v EXP
Error in cipher list
140090662590104:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1380:


None of these are attempts to -use- the ciphers though.

Thanks

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1590163

Title:
  disable export grade ciphers

Status in openssl package in Ubuntu:
  New

Bug description:
  # System

  device: Aquaris BQ E4.5
  OS: Ubuntu 15.04, OTA-11 
  OpenSSL version:
    $dpkg --list |grep libssl
  ii  libssl1.0.0:armhf                                    1.0.1f-1ubuntu11.6                                         armhf        Secure Sockets Layer toolkit - shared libraries

  
  # Observed behaviour

  OpenSSL provides export grade ciphers:

    $openssl ciphers -v EXP
  EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
  EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
  EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
  EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
  EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
  EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
  EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

  
  # Expected behaviour

  No export grade ciphers are provided in binaries.

  
  # Rationale

  Export grade ciphers are insecure.  By design.  In response to FREAK and
  Logjam attacks, OpenSSL developers disabled export grade ciphers in
  OpenSSL v1.0.1m (March 2015),
  cf. <URL:https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/>.

  To bypass similar future attacks, deactivation of export grade ciphers should be
  backported to 15.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1590163/+subscriptions

More information about the foundations-bugs mailing list