Bug 1156422 – curl does not allow explicit control of DHE ciphers

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1156422 - curl does not allow explicit control of DHE ciphers

Summary:	curl does not allow explicit control of DHE ciphers

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	curl (Show other bugs)
Sub Component:
Version:	6.6
Hardware:	Unspecified Unspecified

Priority	unspecified Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Kamil Dudka
QA Contact:	Stefan Kremen
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	1066065
Blocks:
	Show dependency tree / graph

Reported:	2014-10-24 08:32 EDT by Martin Poole
Modified:	2015-07-22 01:44 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	curl-7.19.7-43.el6
Doc Type:	Enhancement
Doc Text:	With the updated packages, it is possible to explicitly enable/disable new AES (Advanced Encryption Standard) cipher-suites to be used for TLS.
Story Points:	---
Clone Of:	1156410
Environment:
Last Closed:	2015-07-22 01:44:03 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Patch to add missing cipher names. (804 bytes, patch) 2014-10-24 08:32 EDT, Martin Poole	kdudka: review-	Details \| Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1254	normal	SHIPPED_LIVE	Moderate: curl security, bug fix, and enhancement update	2015-07-20 13:50:03 EDT

Groups: None (edit)

Description Martin Poole 2014-10-24 08:32:51 EDT

Created attachment 950380 [details]
Patch to add missing cipher names.

+++ This bug was initially created as a clone of Bug #1156410 +++

Description of problem:

curl has a list of ciphers that are not enabled by default that it adds to the library default selection in the absence of any explicit ciphers.

  /* following ciphers are new in NSS 3.4 and not enabled by default, therefore
     they are enabled explicitly */
  static const int enable_ciphers_by_default[] = {
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    SSL_NULL_WITH_NULL_NULL
  };

Unfortunately these ciphers are not made available in the list of choosable ciphers and so cannot be explicitly selected for use.


Version-Release number of selected component (if applicable):

curl-7.19.7

Comment 2 Kamil Dudka 2014-10-24 08:49:00 EDT

Comment on attachment 950380 [details]
Patch to add missing cipher names.

Thanks for the patch.  However, we need to use the upstream solution in order to stay compatible with newer releases:

https://github.com/bagder/curl/compare/4c599b9d2d...67061e3f4e

Comment 10 errata-xmlrpc 2015-07-22 01:44:03 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1254.html

Note You need to log in before you can comment on or make changes to this bug.