Bug 1156422 - curl does not allow explicit control of DHE ciphers
Summary: curl does not allow explicit control of DHE ciphers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: curl
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On: 1066065
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-24 12:32 UTC by Martin Poole
Modified: 2019-07-11 08:17 UTC (History)
3 users (show)

Fixed In Version: curl-7.19.7-43.el6
Doc Type: Enhancement
Doc Text:
With the updated packages, it is possible to explicitly enable/disable new AES (Advanced Encryption Standard) cipher-suites to be used for TLS.
Clone Of: 1156410
Environment:
Last Closed: 2015-07-22 05:44:03 UTC
Target Upstream Version:


Attachments (Terms of Use)
Patch to add missing cipher names. (804 bytes, patch)
2014-10-24 12:32 UTC, Martin Poole
kdudka: review-
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1254 normal SHIPPED_LIVE Moderate: curl security, bug fix, and enhancement update 2015-07-20 17:50:03 UTC

Description Martin Poole 2014-10-24 12:32:51 UTC
Created attachment 950380 [details]
Patch to add missing cipher names.

+++ This bug was initially created as a clone of Bug #1156410 +++

Description of problem:

curl has a list of ciphers that are not enabled by default that it adds to the library default selection in the absence of any explicit ciphers.

  /* following ciphers are new in NSS 3.4 and not enabled by default, therefore
     they are enabled explicitly */
  static const int enable_ciphers_by_default[] = {
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    SSL_NULL_WITH_NULL_NULL
  };

Unfortunately these ciphers are not made available in the list of choosable ciphers and so cannot be explicitly selected for use.


Version-Release number of selected component (if applicable):

curl-7.19.7

Comment 2 Kamil Dudka 2014-10-24 12:49:00 UTC
Comment on attachment 950380 [details]
Patch to add missing cipher names.

Thanks for the patch.  However, we need to use the upstream solution in order to stay compatible with newer releases:

https://github.com/bagder/curl/compare/4c599b9d2d...67061e3f4e

Comment 10 errata-xmlrpc 2015-07-22 05:44:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1254.html


Note You need to log in before you can comment on or make changes to this bug.