Bug 1019972 - socat: needs to specify OpenSSL cipher suites
socat: needs to specify OpenSSL cipher suites
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: socat (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Paul Wouters
BaseOS QE Security Team
:
Depends On:
Blocks: 1019961
  Show dependency treegraph
 
Reported: 2013-10-16 13:27 EDT by Florian Weimer
Modified: 2015-09-24 04:35 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-24 04:35:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2013-10-16 13:27:37 EDT
socat currently does not seem to set the cipher suites, so it ends up using insecure ciphers such as 40 bit RC4.  Not sure if the full elaborate cipher suite setting logic of <http://docs.fedoraproject.org/en-US/Fedora_Security_Team//html/Defensive_Coding/sect-Defensive_Coding-TLS-Client.html#ex-Defensive_Coding-TLS-Client-OpenSSL-CTX> is needed.  Hard-coding "HIGH:RC4-SHA:RC4-MD5:-PSK:-ADH:-AECDH" is probably okay if we're prepared to patch socat if we need to retire RC4 support.
Comment 2 Gerhard 2014-04-03 04:29:54 EDT
To my best knowledge the peers agree on one of the most secure ciphers they share. On the other hand, socat OPENSSL provides the 'cipher' option that allows to set a list of allowed ciphers.

Please explain what you want to gain or which scenario you are concerned about!
Comment 3 Florian Weimer 2014-04-07 03:41:54 EDT
(In reply to Gerhard from comment #2)
> To my best knowledge the peers agree on one of the most secure ciphers they
> share. On the other hand, socat OPENSSL provides the 'cipher' option that
> allows to set a list of allowed ciphers.
> 
> Please explain what you want to gain or which scenario you are concerned
> about!

There is increased risk of downgrade attacks if both ends support weak cipher suites.

I think a default of "HIGH:-NULL:-PSK:-aNULL" would make sense for the cipher suite selector.  If users need RC4, they'd have to enable it explicitly (which increasingly makes sense).
Comment 5 Gerhard 2015-01-24 15:37:13 EST
With Socat 1.7.3.0 "HIGH:-NULL:-PSK:-aNULL" is the default cipherlist.
Comment 7 Florian Weimer 2015-09-24 04:35:47 EDT
OpenSSL defaults in Red Hat Enterprise Linux 7 were changed in OpenSSL, so this is no longer an issue.

Note You need to log in before you can comment on or make changes to this bug.