Hide Forgot
Description of problem: When creating a SSL context using one of SSLv23_*method(), openssl permits also weak ciphers (LOW and EXP groups). These ciphers are obsolete for really long time and they should not be used unless explicitly enabled. Version-Release number of selected component (if applicable): openssl-1.0.1e-15.el6.x86_64 How reproducible: always Steps to Reproduce: server: 1. set up an openssl-based server with no cipher/tls version preference 2. connect to the server with "openssl s_client <...> -cipher 'LOW:EXP'" (or testing tools from gnutls or nss set to just weak ciphers) client: 1. run "openssl s_server ... -cipher 'EXP:LOW'" 2. connect to the server with unsuspecting openssl-based client that uses just SSL_CTX_new(SSLv23_method()) Actual results: connection is established in both cases Expected results: connection should fail unless the weak cipher suites are explicitly enabled Additional info:
I'm sorry but this is a kind of thing we cannot do in released version of RHEL. We could still do this in RHEL-7, but even there it needs serious reasoning.
*** This bug has been marked as a duplicate of bug 1057520 ***