cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: weak cipher suites with OpenSSL, SecureTransport and... ?

From: Fabian Frank <fabian.frank.de_at_gmail.com>
Date: Thu, 9 Jan 2014 23:22:44 -0800

On Jan 9, 2014, at 2:34 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> Left to do is then to build curl with other TLS backends and try it against https://www.howsmyssl.com/a/check to see if there are more flaws in this style.

I tried axtls, unfortunately
$ ./src/curl 'https://www.howsmyssl.com/a/check'
bi_terminate: there were 1 un-freed bigints
Abort trap: 6

The error “bi_terminate: …” happens inside axtls, when it wants to shut down its bigint implementation but did not free all bigints, yet. It looks like (quick glance with gdb) that axtls chokes on the certificate signature that v www.howsmyssl.com presents. This would make sense, because the cert is SHA-256 signed and according to http://axtls.sourceforge.net/specifications.htm axtls only has SHA-1 support.

On the bright side, when ignoring the cert’s signature, it seems that no export/null ciphers are being offered:
$ ./src/curl -k 'https://www.howsmyssl.com/a/check'
{"given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_supported":false,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.1","rating":"Improvable”}

Regards,
Fabian

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-01-10