[Bug 1590163] [NEW] disable export grade ciphers
Stephan Hennig
sh2d at posteo.net
Tue Jun 7 21:41:58 UTC 2016
Public bug reported:
# System
device: Aquaris BQ E4.5
OS: Ubuntu 15.04, OTA-11
OpenSSL version:
$dpkg --list |grep libssl
ii libssl1.0.0:armhf 1.0.1f-1ubuntu11.6 armhf Secure Sockets Layer toolkit - shared libraries
# Observed behaviour
OpenSSL provides export grade ciphers:
$openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
# Expected behaviour
No export grade ciphers are provided in binaries.
# Rationale
Export grade ciphers are insecure. By design. In response to FREAK and
Logjam attacks, OpenSSL developers disabled export grade ciphers in
OpenSSL v1.0.1m (March 2015),
cf. <URL:https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/>.
To bypass similar future attacks, deactivation of export grade ciphers should be
backported to 15.04.
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1590163
Title:
disable export grade ciphers
Status in openssl package in Ubuntu:
New
Bug description:
# System
device: Aquaris BQ E4.5
OS: Ubuntu 15.04, OTA-11
OpenSSL version:
$dpkg --list |grep libssl
ii libssl1.0.0:armhf 1.0.1f-1ubuntu11.6 armhf Secure Sockets Layer toolkit - shared libraries
# Observed behaviour
OpenSSL provides export grade ciphers:
$openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
# Expected behaviour
No export grade ciphers are provided in binaries.
# Rationale
Export grade ciphers are insecure. By design. In response to FREAK and
Logjam attacks, OpenSSL developers disabled export grade ciphers in
OpenSSL v1.0.1m (March 2015),
cf. <URL:https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/>.
To bypass similar future attacks, deactivation of export grade ciphers should be
backported to 15.04.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1590163/+subscriptions
More information about the foundations-bugs
mailing list