From owner-freebsd-questions@FreeBSD.ORG  Sat Mar  7 00:28:24 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 537B3A6A
 for <freebsd-questions@freebsd.org>; Sat,  7 Mar 2015 00:28:24 +0000 (UTC)
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 26799BEF
 for <freebsd-questions@freebsd.org>; Sat,  7 Mar 2015 00:28:23 +0000 (UTC)
Received: from relay5.apple.com (relay5.apple.com [17.128.113.88])
 by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id
 41.5A.12706.7264AF45; Fri,  6 Mar 2015 16:28:23 -0800 (PST)
X-AuditID: 11973e12-f79d66d0000031a2-33-54fa46276d20
Received: from [17.149.231.242] (Unknown_Domain [17.149.231.242])
 (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by relay5.apple.com (Apple SCV relay) with SMTP id 55.B5.16346.9264AF45;
 Fri,  6 Mar 2015 16:28:25 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Subject: Re: OpenSSL Ciphers
From: Charles Swiger <cswiger@mac.com>
In-Reply-To: <B8A83AF6-B354-46E7-A736-64959C53CD66@lafn.org>
Date: Fri, 6 Mar 2015 16:28:22 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <DC459F71-D819-4BB9-AC1A-4E1D5EB6D4E8@mac.com>
References: <5347DC2D-AD6C-41A1-AEC7-A81C51F691B3@lafn.org>
 <B8A83AF6-B354-46E7-A736-64959C53CD66@lafn.org>
To: Doug Hardie <bc979@lafn.org>
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHLMWRmVeSWpSXmKPExsUi2FAYoavu9ivEYOcidou3P56wWbz8uonF
 gcljxqf5LB4tV2eyBjBFcdmkpOZklqUW6dslcGX8mHGBteC3RMXupibGBsaTwl2MnBwSAiYS
 1xc9Y4OwxSQu3FsPZHNxCAnsZZSYcKaTFaZoX/dcqMR0Jomt13+DJZgF1CX+zLvEDGLzChhI
 zD31hQnEFhaQkfj6+hVQAwcHm4CaxISJPCBhTgEbiaPbr4G1sgioSEzfPYEZYoyuRNONt4wQ
 trbEsoWvoUZaSbw4cgzMFhLIljh3ayGYLSKgIHFr8wZGkPESAvISPZvSQU6TEPjIKrF17g/m
 CYxCs5BcNwvJdbOQrFjAyLyKUSg3MTNHNzPPRC+xoCAnVS85P3cTIyiAp9sJ7WA8tcrqEKMA
 B6MSD2+H1M8QIdbEsuLK3EOM0hwsSuK8ti+AQgLpiSWp2ampBalF8UWlOanFhxiZODilGhjn
 zzNVne94cevNNdWPaw3eWHqkhyS/LpbO58rQPVj8oT/1p/icqLr5J0LDXkmXTi6b4Fe0rXn1
 x2nveD7sj7yhVlN6iX+GtPnNrTO3bkrb5e289aVhl4u2l4/ZoYiatCtZ92uXB30vnMGxOORC
 yhT/mk8VnRNLjZvWLhHo3q1e/S65pM8gq1CJpTgj0VCLuag4EQCgl2jjQQIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrILMWRmVeSWpSXmKPExsUiOPX5J11Nt18hBrP3a1i8/fGEzeLl100s
 DkweMz7NZ/FouTqTNYApissmJTUnsyy1SN8ugSvjx4wLrAW/JSp2NzUxNjCeFO5i5OSQEDCR
 2Nc9lw3CFpO4cG89kM3FISQwnUli6/XfrCAJZgF1iT/zLjGD2LwCBhJzT31hArGFBWQkvr5+
 BdTAwcEmoCYxYSIPSJhTwEbi6PZrYK0sAioS03dPYIYYoyvRdOMtI4StLbFs4WuokVYSL44c
 A7OFBLIlzt1aCGaLCChI3Nq8gRFkvISAvETPpvQJjPyzkBw0C8lBs5BMXcDIvIpRoCg1J7HS
 VC+xoCAnVS85P3cTIyjgGgojdjD+X2Z1iFGAg1GJh9dA4meIEGtiWXFl7iFGCQ5mJRHeqcq/
 QoR4UxIrq1KL8uOLSnNSiw8xSnOwKInzbrv4I0RIID2xJDU7NbUgtQgmy8TBKdXAGFwSvyP+
 1P9urgU/M/6ujm8QVPbx7njbcOLJstrwiCV+15I9vV7yr70/hfvXOm8lt0ye68rXfK8u2d1+
 Rc3z+OP17659O3Ofo3a9j+W1xY/ucb/K3ZI2uXv937/GjCsuxfJqebs51dzz75PmVzvou07/
 eHq9U+CRB31rpLPVnwZs7pAOXSzUp8RSnJFoqMVcVJwIAF93Tm40AgAA
Cc: FreeBSD - <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2015 00:28:24 -0000

Hi--

> On Mar 6, 2015, at 3:58 PM, Doug Hardie <bc979@lafn.org> wrote:
>> On 3 March 2015, at 23:21, Doug Hardie <bc979@lafn.org> wrote:
>> The default list of ciphers is quite extensive and includes some that =
are apparently causing some potential security issues.  I have a number =
of applications that use OpenSSL and many don=E2=80=99t have the code to =
restrict the list.  Fixing all that would take quite a bit of work.  =
However, looking into /usr/include/openssl/ssl.h I find a definition for =
the SSL_DEFAULT_CIPHER_LIST.  The comments indicate that that list is =
the one used when the application doesn=E2=80=99t specify anything.  I =
changed its definition to:
>>=20
>> #define SSL_DEFAULT_CIPHER_LIST =
"TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH:
>>=20
>> However, s_connect will still create a connection with the export =
ciphers.  I tried adding !EXPORT to that list and it had no effect.  Is =
the definition actually used by openssl or is it just there for =
documentation?
>=20
> Not hearing anything on this, I suspect it=E2=80=99s not very well =
understood.  I have started updating the various servers/clients that =
use SSL/TLS.  The one that has me completely stumped is sendmail.  There =
is a web page which provides instructions =
"http://novosial.org/sendmail/cipherlist/index.html=E2=80=9D.  However, =
when I follow them, I can still establish a connection and deliver mail =
using the export ciphers. =20
>=20
> Has anyone successfully restricted the sendmail ciphers?

You can see which ciphers openssl will support via a statement like:

% openssl ciphers -v =
'TLSv1+HIGH:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH:!EXPORT'
DHE-RSA-AES256-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  =
Mac=3DSHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=3DDH       Au=3DDSS  Enc=3DAES(256)  =
Mac=3DSHA1
AES256-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  =
Mac=3DSHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  =
Mac=3DSHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=3DDH       Au=3DDSS  Enc=3DAES(128)  =
Mac=3DSHA1
AES128-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  =
Mac=3DSHA1
RC4-SHA                 SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DRC4(128)  =
Mac=3DSHA1
RC4-MD5                 SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DRC4(128)  =
Mac=3DMD5=20
RC4-MD5                 SSLv2 Kx=3DRSA      Au=3DRSA  Enc=3DRC4(128)  =
Mac=3DMD5=20

...and you can experiment with TLS negotiation results via something =
like:

% openssl s_client -cipher 'AES256-SHA:AES128-SHA' -connect =
www.google.com:443
[ ... ]
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: [ ... ]

Sendmail normally performs crypto via STARTTLS negotiation rather than =
via SMTPS; there's a CipherList option which can be defined via =
sendmail.mc / sendmail.cf.  You might need to recompile sendmail with =
-D_FFR_TLS_1, which I think that novosial page mentions.

Regards,
--=20
-Chuck