Bug 1156422

Summary: curl does not allow explicit control of DHE ciphers
Product: Red Hat Enterprise Linux 6 Reporter: Martin Poole <mpoole>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Stefan Kremen <skremen>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6CC: kdudka, ovasik, qe-baseos-security
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: curl-7.19.7-43.el6 Doc Type: Enhancement
Doc Text:
With the updated packages, it is possible to explicitly enable/disable new AES (Advanced Encryption Standard) cipher-suites to be used for TLS.
 Story Points: ---
Clone Of: 1156410 Environment:
Last Closed: 2015-07-22 05:44:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1066065    
Bug Blocks:    
Attachments:
Description Flags
Patch to add missing cipher names. kdudka: review-

Description Martin Poole 2014-10-24 12:32:51 UTC 
Created attachment 950380 [details]
Patch to add missing cipher names.

+++ This bug was initially created as a clone of Bug #1156410 +++

Description of problem:

curl has a list of ciphers that are not enabled by default that it adds to the library default selection in the absence of any explicit ciphers.

  /* following ciphers are new in NSS 3.4 and not enabled by default, therefore
     they are enabled explicitly */
  static const int enable_ciphers_by_default[] = {
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    SSL_NULL_WITH_NULL_NULL
  };

Unfortunately these ciphers are not made available in the list of choosable ciphers and so cannot be explicitly selected for use.


Version-Release number of selected component (if applicable):

curl-7.19.7
Comment 2 Kamil Dudka 2014-10-24 12:49:00 UTC 
Comment on attachment 950380 [details]
Patch to add missing cipher names.

Thanks for the patch.  However, we need to use the upstream solution in order to stay compatible with newer releases:

https://github.com/bagder/curl/compare/4c599b9d2d...67061e3f4e
Comment 10 errata-xmlrpc 2015-07-22 05:44:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1254.html