curl-library
Re: weak cipher suites with OpenSSL, SecureTransport and... ?
Date: Sun, 19 Jan 2014 14:16:31 +0100
Am 13.01.2014 00:13, schrieb Daniel Stenberg:
> On Sun, 12 Jan 2014, Marc Hörsken wrote:
>
>> WinSSL on Windows 7 SP1 looks okay:
>
> Yes, cipher wise at least. I figure this is less good:
>
>> "beast_vuln":true,
>> "tls_version":"TLS 1.0"
>
> And they are what makes the site deems this to get:
>
>> "rating":"Bad"}
>
> ... but I don't think we can change that with this backend.
Using --tlsv1 or the attached patch improves the "default" situation on
Windows 7 SP1.
$ src/curl -v "https://www.howsmyssl.com/a/check"
* timeout on name lookup is not supported
* Hostname was NOT found in DNS cache
* Trying 54.245.96.51...
* Connected to www.howsmyssl.com (54.245.96.51) port 443 (#0)
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 168 bytes...
* schannel: sent initial handshake data: sent 168 bytes
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: encrypted data buffer: offset 3340 length 4096
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: encrypted data buffer: offset 347 length 4096
* schannel: sending next handshake data: sending 150 bytes...
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: encrypted data buffer: offset 75 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 3/3)
* schannel: incremented credential handle refcount = 1
* schannel: stored credential handle in session cache
> GET /a/check HTTP/1.1
> User-Agent: curl/7.34.1-DEV
> Host: www.howsmyssl.com
> Accept: */*
>
* schannel: client wants to read 16384 bytes
* schannel: encrypted data buffer: offset 0 length 16384
* schannel: encrypted data got 1354
* schannel: encrypted data buffer: offset 1354 length 16384
* schannel: decrypted data length: 1253
* schannel: decrypted data added: 1253
* schannel: decrypted data cached: offset 1253 length 16384
* schannel: encrypted data length: 53
* schannel: encrypted data cached: offset 53 length 16384
* schannel: decrypted data buffer: offset 1253 length 16384
* schannel: decrypted data returned 1253
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 200 OK
< Content-Length: 1059
< Connection: close
< Content-Type: application/json
< Date: Sun, 19 Jan 2014 13:13:31 GMT
< Strict-Transport-Security: max-age=631138519; includeSubdomains
<
{"given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_
CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_R
SA_WITH_RC4_128_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128
_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CB
C_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_C
BC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_2
56_CBC_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_
256_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA256","TLS_DHE_DSS_WITH_AES_128_CBC
_SHA","TLS_DHE_DSS_WITH_AES_256_CBC_SHA256","TLS_DHE_DSS_WITH_AES_256_CBC_SHA","
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_s
upported":true,"session_ticket_supported":false,"tls_compression_supported":fals
e,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_mi
nus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS
1.2","ra
ting":"Improvable"}* Closing connection 0
* schannel: shutting down SSL/TLS connection with www.howsmyssl.com port 443
* schannel: clear security context handle
* schannel: decremented credential handle refcount = 0
I would appreciate some feedback from people using other Windows
versions before merging this patch.
Received on 2014-01-19