On Thu, 3 Oct 2013, Nick Zitzmann wrote:

> So I heard recently that SSL Labs has a new TLS/SSL client test available:
> <https://www.ssllabs.com/ssltest/viewMyClient.html>
>
> I already ran my code through it, and it detected support for a NULL
> cipher-suite I forgot to block out. Oops. I fixed that and pushed the change
> yesterday.

Nice!

> I also tried running it with two other SSL back-ends - Schannel (Windows 7)
> and OpenSSL (0.9.8). The Schannel back-end showed no weak or insecure
> cipher-suites (good) but didn't support TLS 1.2 (I thought it did?).

That's a very old OpenSSL version though. My OpenSSL/1.0.1e supports TLS 1.2
fine.

> Meanwhile, the OpenSSL back-end advertised support for a number of weak
> suites with only 40- and 56-bit keys. Shouldn't we be blocking those by
> default?

We haven't really discussed this, but yes I think we should! The weak ones
this test identifies in my version are:

(Cipher Suites and bit lengths)

TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) WEAK 56
TLS_DHE_DSS_WITH_DES_CBC_SHA (0x12) WEAK 56
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) WEAK 40
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x11) WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html