[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#31946: 27.0.50; The NSM should warn about more TLS problems

From: Jimmy Yuen Ho Wong
Subject: bug#31946: 27.0.50; The NSM should warn about more TLS problems
Date: Wed, 27 Jun 2018 17:40:17 +0100

I've been reading a bit more on recent cipher and key exchange negotiation changes, it appears that the reason 3des "fail" on modern browsers is the same reason they "fail" dh-small-subgroup and dh-composite. They are not actually failing if the negotiated KX algo is ECDHE.

As a good measure, I think we should also offer in the high profile, checks for RSA KX and CBC mode ciphers. They are all marked as weak by modern browsers. There are apparently enterprise middlewares that decrypt RSA KX for monitoring. CBC is weak and should also be checked in the high profile because BEAST and POODLE (high because of compatibiltiy).

On Wed, Jun 27, 2018 at 4:16 PM, Eli Zaretskii <address@hidden> wrote:
> From: Lars Ingebrigtsen <address@hidden>
> Cc: address@hidden,  Noam Postavsky <address@hidden>, Eli Zaretskii <address@hidden>
> Date: Wed, 27 Jun 2018 14:20:16 +0200
> Speaking of which -- it's quite a mouthful to say:
> (open-network-stream
>  "foo" nil "dh-composite.badssl.com" "https"
>  :tls-parameters (cons 'gnutls-x509pki (gnutls-boot-parameters
>                                         :hostname "dh-composite.badssl.com")))
> I've been meaning to add a :tls keyword to `open-network-stream' that
> would make
> (open-network-stream "foo" nil "dh-composite.badssl.com" "https" :tls t)
> a short way to write the above.  I.e., the default TLS parameters (which
> is what you need in 99.9% of the cases) would be used if you just say
> :tls t.
> Does that sound OK to you, Eli?

Sounds good, but does it really require a new property?  Why not a
special value of the existing :tls-parameters?  For example:

  (open-network-stream "foo" nil "dh-composite.badssl.com" "https"
                       :tls-parameters 'tls-defaults)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]