[Pidgin] #15862: Disable Export ciphers and DES in SSL

Pidgin trac at pidgin.im
Tue Jan 14 05:22:13 EST 2014

#15862: Disable Export ciphers and DES in SSL
 Reporter:  fedor.brunner  |      Owner:  EionRobb
     Type:  defect         |     Status:  new
Milestone:                 |  Component:  unclassified
  Version:  2.10.7         |   Keywords:
 Please disable Export ciphers and DES for SSL connections in Pidgin. These
 ciphers are so weak they can be decrypted using a small computer cluster
 with moderate resources, so they offer no protection.

 I have tested SSL ciphers configured in Pidgin 2.10.7 using OpenSSL

 The current configuration is {{{DHE-RSA-AES256-SHA:DHE-DSS-

 You can list the properties of these ciphers using openssl ciphers

 $ openssl ciphers -v 'DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA
 DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
 DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
 AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
 DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
 DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
 RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
 RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
 AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
 EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
 EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
 DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
 EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
 EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
 DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
 EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5
 EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5

 Disable the DES with 56 bit keys: EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-
 Disable the Export ciphers with 40 bit keys: EXP-RC4-MD5, EXP-RC2-CBC-MD5

 See the longer analysis here:

Ticket URL: <https://developer.pidgin.im/ticket/15862>
Pidgin <https://pidgin.im>

More information about the Tracker mailing list