oss-sec mailing list archives
Re: CVE Request?: konqueror - https uses all ciphers, even weak ones
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Tue, 04 Mar 2014 13:00:17 +0000
On 03/04/2014 12:28 PM, John Haxby wrote:
openssl s_client doesn’t report problems, but I wouldn’t expect it to.
it should; its peers do: gnutls-cli demo.cmrg.net fails safely closed with: GnuTLS error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). and (from libnss3-tools): tstclnt -h demo.cmrg.net fails safely closed with: tstclnt: read from socket failed: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY: SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
wget just downloads index.html without any issue.
i also consider this a flaw in wget. i suspect you've got wget compiled against openssl, because for me (debian testing), wget fails safely closed with: GnuTLS: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Unable to establish SSL connection. while curl (built against OpenSSL) accepts the insecure connection and proceeds (even leaking cookie information across the weak connection if i ask it to send cookies). fwiw, i reported this problem on the openssl-dev mailing list back in november, following private discussion with openssl upstream.: http://marc.info/?l=openssl-dev&m=138386738312983&w=2 Regards, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request?: konqueror - https uses all ciphers, even weak ones Marcus Meissner (Feb 27)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 03)
- Re: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Jann Horn (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Felix Eckhofer (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Moritz Naumann (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Hanno Böck (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 13)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 13)