From owner-freebsd-questions@FreeBSD.ORG Fri Mar 6 23:58:16 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EA6451FC for ; Fri, 6 Mar 2015 23:58:16 +0000 (UTC) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id C14898CA for ; Fri, 6 Mar 2015 23:58:16 +0000 (UTC) Received: from [10.0.1.2] (static-71-177-216-148.lsanca.fios.verizon.net [71.177.216.148]) (authenticated bits=0) by zoom.lafn.org (8.14.7/8.14.7) with ESMTP id t26Nw9mU080049 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 6 Mar 2015 15:58:10 -0800 (PST) (envelope-from bc979@lafn.org) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: OpenSSL Ciphers From: Doug Hardie In-Reply-To: <5347DC2D-AD6C-41A1-AEC7-A81C51F691B3@lafn.org> Date: Fri, 6 Mar 2015 15:58:10 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <5347DC2D-AD6C-41A1-AEC7-A81C51F691B3@lafn.org> To: "freebsd-questions@freebsd.org Questions" X-Mailer: Apple Mail (2.2070.6) X-Virus-Scanned: clamav-milter 0.98 at zoom.lafn.org X-Virus-Status: Clean X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2015 23:58:17 -0000 > On 3 March 2015, at 23:21, Doug Hardie wrote: >=20 > The default list of ciphers is quite extensive and includes some that = are apparently causing some potential security issues. I have a number = of applications that use OpenSSL and many don=E2=80=99t have the code to = restrict the list. Fixing all that would take quite a bit of work. = However, looking into /usr/include/openssl/ssl.h I find a definition for = the SSL_DEFAULT_CIPHER_LIST. The comments indicate that that list is = the one used when the application doesn=E2=80=99t specify anything. I = changed its definition to: >=20 > #define SSL_DEFAULT_CIPHER_LIST = "TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH: >=20 > However, s_connect will still create a connection with the export = ciphers. I tried adding !EXPORT to that list and it had no effect. Is = the definition actually used by openssl or is it just there for = documentation? Not hearing anything on this, I suspect it=E2=80=99s not very well = understood. I have started updating the various servers/clients that = use SSL/TLS. The one that has me completely stumped is sendmail. There = is a web page which provides instructions = "http://novosial.org/sendmail/cipherlist/index.html=E2=80=9D. However, = when I follow them, I can still establish a connection and deliver mail = using the export ciphers. =20 Has anyone successfully restricted the sendmail ciphers?=