Re: default cipher suites in curl

[Marcus Meissner <meissner () suse de>]

On Mon, Jul 07, 2014 at 12:46:42PM +1000, Michael Samuel wrote:
> Hi,
>
> On 2 July 2014 01:44, Marcus Meissner <meissner () suse de> wrote:
> > Clients using the library could however set ciphers via
> > an option, but as it would work without, they might not have.
>
> This will only happen when the server either doesn't support stronger
> ciphers or when the server requests it's cipher order be honoured and
> chooses export ciphers first.   An attacker can't trigger this with SSLv3
> or TLS.

I was more thinking of a man in the middle attack during the connection
setup.

> > Should it get a CVE?
>
> If a weak cipher was negotiated, it's because the server preferred this and
> the client didn't care.  There's no trust boundary crossed.

" ... and the client did not care" is I think the point here.

curl in that form would accept all weak ciphers.

> An argument could be made that the clients would rather not establish a
> connection at all than negotiate a weak cipher.  Not sure if that counts for
> CVE or just hardening?

Thats my question here :)

> Either way, this is a workaround for an OpenSSL bug.

Ciao, Marcus