Nmap Development mailing list archives
Re: Discussion of Ncat's SSL security choices
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 6 Jan 2015 22:50:59 -0600
On Tue, Jan 6, 2015 at 10:15 PM, David Fifield <david () bamsoftware com> wrote:
I'm surprised at those _anon_ ciphers in there. But I guess they come
out of our cipher specification:
openssl ciphers 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
includes AECDH-AES256-SHA, AECDH-AES128-SHA, AECDH-RC4-SHA, and
AECDH-DES-CBC3-SHA. I guess !ADH excludes anonymous Diffie–Hellman, but
not anonymous EC Diffie–Hellman.
I think it would be safe (and wise) to switch that first ALL to either DEFAULT or ALL:!aNULL:!eNULL (which is what my ciphers(1SSL) manpage says DEFAULT is equivalent to anyway). After all, ciphersuite selection is the one thing we actually allow users to override (since r33862). Dan
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Discussion of Ncat's SSL security choices Daniel Miller (Jan 06)
- Re: Discussion of Ncat's SSL security choices David Fifield (Jan 06)
- Re: Discussion of Ncat's SSL security choices Daniel Miller (Jan 06)
- Re: Discussion of Ncat's SSL security choices David Fifield (Jan 06)