[Pidgin] #15862: Disable Export ciphers and DES in SSL

Pidgin trac at pidgin.im
Tue Jan 14 05:22:13 EST 2014 

#15862: Disable Export ciphers and DES in SSL
---------------------------+--------------------------
 Reporter:  fedor.brunner  |      Owner:  EionRobb
     Type:  defect         |     Status:  new
Milestone:                 |  Component:  unclassified
  Version:  2.10.7         |   Keywords:
---------------------------+--------------------------
 Please disable Export ciphers and DES for SSL connections in Pidgin. These
 ciphers are so weak they can be decrypted using a small computer cluster
 with moderate resources, so they offer no protection.

 I have tested SSL ciphers configured in Pidgin 2.10.7 using OpenSSL
 s_server.

 The current configuration is {{{DHE-RSA-AES256-SHA:DHE-DSS-
 AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-
 AES128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-
 CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA
 :EXP-RC4-MD5:EXP-RC2-CBC-MD5}}}

 You can list the properties of these ciphers using openssl ciphers

 {{{
 $ openssl ciphers -v 'DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA
 :DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:EDH-RSA-
 DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-
 DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5'
 DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
 DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
 AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
 DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
 DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
 RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
 RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
 AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
 EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
 EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
 DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
 EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
 EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
 DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
 EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5
 export
 EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5
 export
 }}}

 Disable the DES with 56 bit keys: EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-
 SHA, DES-CBC-SHA
 Disable the Export ciphers with 40 bit keys: EXP-RC4-MD5, EXP-RC2-CBC-MD5

 See the longer analysis here:
 https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15862>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list