[Icecast-dev] fix for unsafe ssl options
Dave Miller
justdave at mozilla.com
Fri Aug 6 16:00:19 PDT 2010
Thomas B. Ruecker wrote on 8/6/10 4:43 PM:
> Hi Niv,
>
> Thanks for your comments. I'm CC'ing the patch author.
>
> On Wed, Aug 04, 2010 at 05:37:44PM +0200, Niv Sardi wrote:
>> Do we really need that many ?
>> http://www.google.com/codesearch/p?hl=en#5KTrgOW2hXs/pub/nslu2/sources/vsftpd-2.0.4.tar.gz%7CXknrlk4c3C4/vsftpd-2.0.4/ssl.c&q=SSL_CTX_set_cipher_list
>>
>> vsftpd seems to only be including "DES-CBC3-SHA"
>> http://www.google.com/codesearch?q=tunable_ssl_ciphers&exact_package=http://ftp.osuosl.org/pub/nslu2/sources/vsftpd-2.0.4.tar.gz&hl=en
>>
>> That appart (and I'm no OpenSSL savvy), the patch looks good.
>
> I have to admit that I haven't even looked at the patch while forwarding the information, but I'm willing to trust justdave here as he most likely looked at what Mozilla products do and why they do it. ;-)
The list of ciphers included is the ones it will allow to work, not
necessarily what it'll try to use. The client and the server will
negotiate on which one they want to use. The list I put in as the
default is the one recommended as "best practice" for Apache by a couple
penetration-testing companies we've used. It's a more-restrictive list
than the one you get by default if you don't ask for a specific set, but
it's large enough to allow good compatibility without allowing any
broken or weak codecs. But this is also the reason I made it an
optional config option, so you can override it with a different list if
you want fewer (like only the really high grade encryption), or want
more and don't care about being hacked or whatever. :)
--
Dave Miller http://www.justdave.net/
System Administrator, Mozilla Corporation http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/
More information about the Icecast-dev
mailing list