cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: weak cipher suites with OpenSSL, SecureTransport and... ?

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Thu, 9 Jan 2014 17:40:17 -0600

On Jan 9, 2014, at 4:34 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> #1324 - curl built with SecureTransport includes support for NULL ciphersuites
> in ClientHello
> https://sourceforge.net/p/curl/bugs/1324/

I cannot reproduce this one:

===
% src/curl -v "https://www.howsmyssl.com/a/check"
* STATE: INIT => CONNECT handle 0x7ffb42004c08; line 1012 (connection #-5000)
* Hostname was NOT found in DNS cache
* Trying 54.245.96.51...
* STATE: CONNECT => WAITCONNECT handle 0x7ffb42004c08; line 1059 (connection #0)
* Connected to www.howsmyssl.com (54.245.96.51) port 443 (#0)
* STATE: WAITCONNECT => PROTOCONNECT handle 0x7ffb42004c08; line 1172 (connection #0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_RC4_128_SHA
* Server certificate: howsmyssl.com
* Server certificate: GeoTrust SSL CA - G2
* Server certificate: GeoTrust Global CA
* Server certificate: Equifax Secure Certificate Authority
* STATE: PROTOCONNECT => DO handle 0x7ffb42004c08; line 1191 (connection #0)
> GET /a/check HTTP/1.1
> User-Agent: curl/7.34.1-DEV
> Host: www.howsmyssl.com
> Accept: */*
>
* STATE: DO => DO_DONE handle 0x7ffb42004c08; line 1264 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x7ffb42004c08; line 1390 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x7ffb42004c08; line 1403 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Content-Length: 1836
< Connection: close
< Content-Type: application/json
< Date: Thu, 09 Jan 2014 23:28:09 GMT
< Strict-Transport-Security: max-age=631138519; includeSubdomains
<
* STATE: PERFORM => DONE handle 0x7ffb42004c08; line 1573 (connection #0)
* Closing connection 0
* The cache now contains 0 members
{"given_cipher_suites":["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_RC4_128_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_RC4_128_SHA","TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_RC4_128_SHA","TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES
_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_RC4_128_MD5","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_PSK_WITH_AES_256_CBC_SHA384","TLS_PSK_WITH_AES_128_CBC_SHA256","TLS_PSK_WITH_AES_256_CBC_SHA","TLS_PSK_WITH_AES_128_CBC_SHA","TLS_PSK_WITH_RC4_128_SHA","TLS_PSK_WITH_3DES_EDE_CBC_SHA"],"ephemeral_keys_supported":true,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.2","rating":"Improvable”}
===

I don’t see any NULL cipher-suites in there anywhere. I’m pretty sure I fixed this in commit <https://github.com/bagder/curl/commit/6f78aaad6f262f1de074386dff3f41c95fa997bb>, which I had to make after iOS 7 was released because I was under NDA at the time (so it didn’t get into Mavericks).

Oh, and the NULL_SHA256 one was fixed in a separate commit: <https://github.com/bagder/curl/commit/173160c0d068f1aba390fe6eb2e847af6ae48dca>

I discovered that one when I was testing my work against <https://www.ssllabs.com/ssltest/viewMyClient.html>, which had just launched at the time.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-01-10