Bug 1019972
Summary: | socat: needs to specify OpenSSL cipher suites | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Florian Weimer <fweimer> |
Component: | socat | Assignee: | Paul Wouters <pwouters> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | gerhard |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-09-24 08:35:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1019961 |
Description
Florian Weimer
2013-10-16 17:27:37 UTC
To my best knowledge the peers agree on one of the most secure ciphers they share. On the other hand, socat OPENSSL provides the 'cipher' option that allows to set a list of allowed ciphers. Please explain what you want to gain or which scenario you are concerned about! (In reply to Gerhard from comment #2) > To my best knowledge the peers agree on one of the most secure ciphers they > share. On the other hand, socat OPENSSL provides the 'cipher' option that > allows to set a list of allowed ciphers. > > Please explain what you want to gain or which scenario you are concerned > about! There is increased risk of downgrade attacks if both ends support weak cipher suites. I think a default of "HIGH:-NULL:-PSK:-aNULL" would make sense for the cipher suite selector. If users need RC4, they'd have to enable it explicitly (which increasingly makes sense). With Socat 1.7.3.0 "HIGH:-NULL:-PSK:-aNULL" is the default cipherlist. OpenSSL defaults in Red Hat Enterprise Linux 7 were changed in OpenSSL, so this is no longer an issue. |