[Weechat-dev] [task #10106] Allow configurable TLS priorities or hardcod

weechat-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Weechat-dev] [task #10106] Allow configurable TLS priorities or hardcod

From:	bazerka
Subject:	[Weechat-dev] [task #10106] Allow configurable TLS priorities or hardcode the use of SECURE256 priority
Date:	Mon, 18 Jan 2010 22:38:47 +0000
User-agent:	Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)

URL:
  <http://savannah.nongnu.org/task/?10106>

                 Summary: Allow configurable TLS priorities or hardcode the
use of SECURE256 priority
                 Project: WeeChat
            Submitted by: bazerka
            Submitted on: Mon 18 Jan 2010 10:38:46 PM GMT
                Category: other
         Should Start On: Mon 18 Jan 2010 12:00:00 AM GMT
   Should be Finished on: Mon 18 Jan 2010 12:00:00 AM GMT
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
        Percent Complete: 0%
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                IRC nick: Bazerka

    _______________________________________________________

Details:

At present, TLS priorities are hardcoded to specify a preference list of
protocols only.

Due to this, 128bit ciphersuites are appearing in the ciphersuite list prior
to their 256bit counterparts and hence, will always be used in preference. 

I suggest either allowing the priority string to be user configurable, or
hardcoding the priority to include SECURE256 as well as the protocol, so that
the available cipersuite list is sorted from strongest to weakest (ie, 256bit
ciphersuites are listed before the 128bit variants).

For example,

gnutls-cli connecting to an ssl ircd without --priority SECURE256 shows :

|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
[SNIP]
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed


Connecting to the same ircd with --priority SECURE256 shows:

|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x801236000]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[0x801236000]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
[SNIP]
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed





    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/task/?10106>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Weechat-dev] [task #10106] Allow configurable TLS priorities or hardcode the use of SECURE256 priority, bazerka <=

Prev by Date: [Weechat-dev] [bug #28658] CTCP ACTION does not work in DCC chat
Next by Date: [Weechat-dev] [patch #7069] Missing includes in cmake/FindIconv.cmake
Previous by thread: [Weechat-dev] [bug #28658] CTCP ACTION does not work in DCC chat
Next by thread: [Weechat-dev] [patch #7069] Missing includes in cmake/FindIconv.cmake
Index(es):
- Date
- Thread