You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Rainer Jung <ra...@kippdata.de> on 2015/05/23 18:03:21 UTC
Drop support for EXPORT ciphers in tcnative 1.1?
mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
and will also drop it in Apache 2.2 in the sonn to be released next version.
I applied a similar change to tcnative trunk and would also like to
apply it to 1.1.
Note that "drop support" would mean you can no longer enable export
ciphers. Even if you do they will simply not get advertised to the
client because the code filters them out. This is not just a question of
defaults but whether export ciphers should be available or not.
The change in question is
http://svn.apache.org/r1681147
In the light of the downgrade attacks that were invented I have a
tendency to drop support completely. Other opinions?
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Drop support for EXPORT ciphers in tcnative 1.1?
Posted by Rainer Jung <ra...@kippdata.de>.
Am 25.05.2015 um 14:05 schrieb Christopher Schultz:
> Rainer,
>
> On 5/24/15 2:12 PM, Rainer Jung wrote:
>> Am 24.05.2015 um 18:33 schrieb Mark Thomas:
>>> On 23 May 2015 17:03:21 BST, Rainer Jung <ra...@kippdata.de> wrote:
>>>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
>>>> and will also drop it in Apache 2.2 in the sonn to be released next
>>>> version.
>>>>
>>>> I applied a similar change to tcnative trunk and would also like to
>>>> apply it to 1.1.
>>>>
>>>> Note that "drop support" would mean you can no longer enable export
>>>> ciphers. Even if you do they will simply not get advertised to the
>>>> client because the code filters them out. This is not just a question
>>>> of
>>>> defaults but whether export ciphers should be available or not.
>>>>
>>>> The change in question is
>>>>
>>>> http://svn.apache.org/r1681147
>>>>
>>>> In the light of the downgrade attacks that were invented I have a
>>>> tendency to drop support completely. Other opinions?
>>>>
>>>> Regards,
>>>>
>>>> Rainer
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>> +1.
>>>
>>> From a purely personal perspective I suspect this change will cause
>>> me more work when I want to enable export ciphers for testing. I'll cope.
>>>
>>> For end users I can't see any reason to ever enable these so happy
>>> from them to go.
>>
>> Just to be explicit about expectations: the code in mod_ssl takes the
>> configured cipher suite string and then *always* prepends
>> !aNULL:!eNULL:!EXP. So even if you tried to enable via config, it
>> wouldn't work. So if you really wanted to test with export ciphers,
>> you'd need to use a custom patched tcnative. It would be really a no
>> longer support in the extremest sense.
>
> How about:
>
> #ifdef(TCNATIVE_ENABLE_EXPORT_CIPHERS)
> #define PREPEND "!aNULL:!eNULL:"
> #else
> #define PREPEND "!aNULL:!eNULL:!EXP:"
> #end
> char[] ciphers = ...;
>
> char[] effective_ciphers = strcat(PREPEND, ciphers);
>
> ?
I was undecided, whether the configure flag should allow only export or
export plus null, and whether the meaning of the flag has to go into
flag and define name or would be enough in the help message.
I went with "flag reenables export and null" to allow full debug/test
scenarios but with names of flag and define only referring to export (to
keep them shorter), putting the "null" only in the help message for the
flag.
I didn't want to simply name the flag --enable-insecure-ciphers, because
that would indicate, that the projects by default has disabled all
insecure ciphers, which would be hard to do and to keep up to date.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Drop support for EXPORT ciphers in tcnative 1.1?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Rainer,
On 5/24/15 2:12 PM, Rainer Jung wrote:
> Am 24.05.2015 um 18:33 schrieb Mark Thomas:
>> On 23 May 2015 17:03:21 BST, Rainer Jung <ra...@kippdata.de> wrote:
>>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
>>> and will also drop it in Apache 2.2 in the sonn to be released next
>>> version.
>>>
>>> I applied a similar change to tcnative trunk and would also like to
>>> apply it to 1.1.
>>>
>>> Note that "drop support" would mean you can no longer enable export
>>> ciphers. Even if you do they will simply not get advertised to the
>>> client because the code filters them out. This is not just a question
>>> of
>>> defaults but whether export ciphers should be available or not.
>>>
>>> The change in question is
>>>
>>> http://svn.apache.org/r1681147
>>>
>>> In the light of the downgrade attacks that were invented I have a
>>> tendency to drop support completely. Other opinions?
>>>
>>> Regards,
>>>
>>> Rainer
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>> +1.
>>
>> From a purely personal perspective I suspect this change will cause
>> me more work when I want to enable export ciphers for testing. I'll cope.
>>
>> For end users I can't see any reason to ever enable these so happy
>> from them to go.
>
> Just to be explicit about expectations: the code in mod_ssl takes the
> configured cipher suite string and then *always* prepends
> !aNULL:!eNULL:!EXP. So even if you tried to enable via config, it
> wouldn't work. So if you really wanted to test with export ciphers,
> you'd need to use a custom patched tcnative. It would be really a no
> longer support in the extremest sense.
How about:
#ifdef(TCNATIVE_ENABLE_EXPORT_CIPHERS)
#define PREPEND "!aNULL:!eNULL:"
#else
#define PREPEND "!aNULL:!eNULL:!EXP:"
#end
char[] ciphers = ...;
char[] effective_ciphers = strcat(PREPEND, ciphers);
?
-chris
Re: Drop support for EXPORT ciphers in tcnative 1.1?
Posted by Rainer Jung <ra...@kippdata.de>.
Am 24.05.2015 um 18:33 schrieb Mark Thomas:
> On 23 May 2015 17:03:21 BST, Rainer Jung <ra...@kippdata.de> wrote:
>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
>> and will also drop it in Apache 2.2 in the sonn to be released next
>> version.
>>
>> I applied a similar change to tcnative trunk and would also like to
>> apply it to 1.1.
>>
>> Note that "drop support" would mean you can no longer enable export
>> ciphers. Even if you do they will simply not get advertised to the
>> client because the code filters them out. This is not just a question
>> of
>> defaults but whether export ciphers should be available or not.
>>
>> The change in question is
>>
>> http://svn.apache.org/r1681147
>>
>> In the light of the downgrade attacks that were invented I have a
>> tendency to drop support completely. Other opinions?
>>
>> Regards,
>>
>> Rainer
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
> +1.
>
> From a purely personal perspective I suspect this change will cause me more work when I want to enable export ciphers for testing. I'll cope.
>
> For end users I can't see any reason to ever enable these so happy from them to go.
Just to be explicit about expectations: the code in mod_ssl takes the
configured cipher suite string and then *always* prepends
!aNULL:!eNULL:!EXP. So even if you tried to enable via config, it
wouldn't work. So if you really wanted to test with export ciphers,
you'd need to use a custom patched tcnative. It would be really a no
longer support in the extremest sense.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Drop support for EXPORT ciphers in tcnative 1.1?
Posted by Mark Thomas <ma...@apache.org>.
On 23 May 2015 17:03:21 BST, Rainer Jung <ra...@kippdata.de> wrote:
>mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
>and will also drop it in Apache 2.2 in the sonn to be released next
>version.
>
>I applied a similar change to tcnative trunk and would also like to
>apply it to 1.1.
>
>Note that "drop support" would mean you can no longer enable export
>ciphers. Even if you do they will simply not get advertised to the
>client because the code filters them out. This is not just a question
>of
>defaults but whether export ciphers should be available or not.
>
>The change in question is
>
> http://svn.apache.org/r1681147
>
>In the light of the downgrade attacks that were invented I have a
>tendency to drop support completely. Other opinions?
>
>Regards,
>
>Rainer
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: dev-help@tomcat.apache.org
+1.
>From a purely personal perspective I suspect this change will cause me more work when I want to enable export ciphers for testing. I'll cope.
For end users I can't see any reason to ever enable these so happy from them to go.
Mark
Re: Drop support for EXPORT ciphers in tcnative 1.1?
Posted by Mark Thomas <ma...@apache.org>.
On 25/05/2015 13:05, Christopher Schultz wrote:
> Rainer,
>
> On 5/24/15 3:46 PM, Rainer Jung wrote:
>> Am 24.05.2015 um 20:10 schrieb Christopher Schultz:
>>> Rainer,
>>>
>>> On 5/23/15 12:03 PM, Rainer Jung wrote:
>>>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
>>>> and will also drop it in Apache 2.2 in the soon to be released next
>>>> version.
>>>>
>>>> I applied a similar change to tcnative trunk and would also like to
>>>> apply it to 1.1.
>>>
>>> +1
>>>
>>>> Note that "drop support" would mean you can no longer enable export
>>>> ciphers. Even if you do they will simply not get advertised to the
>>>> client because the code filters them out. This is not just a question of
>>>> defaults but whether export ciphers should be available or not.
>>>>
>>>> The change in question is
>>>>
>>>> http://svn.apache.org/r1681147
>>>>
>>>> In the light of the downgrade attacks that were invented I have a
>>>> tendency to drop support completely. Other opinions?
>>>
>>> Hmm. As much as I'd like for EXP ciphers to die forever, I can imagine a
>>> use case where the user really *really* needs to use them. Can we offer
>>> them the ability to re-enable them? It's okay if it requires a re-build
>>> of tcnative to do so.
>>>
>>> Thanks,
>>> -chris
>>
>> Done in r1681523. I added the configure flag
>> --enable-insecure-export-ciphers and ported the feature and flag from
>> trunk to 1.1.
>>
>> If people don't like it I can revert (or rename the switch) but it seems
>> you and Mark are OK with that way.
>
> Perfect! Thanks!
Agreed. +1 from me to. Thanks.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Drop support for EXPORT ciphers in tcnative 1.1?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Rainer,
On 5/24/15 3:46 PM, Rainer Jung wrote:
> Am 24.05.2015 um 20:10 schrieb Christopher Schultz:
>> Rainer,
>>
>> On 5/23/15 12:03 PM, Rainer Jung wrote:
>>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
>>> and will also drop it in Apache 2.2 in the soon to be released next
>>> version.
>>>
>>> I applied a similar change to tcnative trunk and would also like to
>>> apply it to 1.1.
>>
>> +1
>>
>>> Note that "drop support" would mean you can no longer enable export
>>> ciphers. Even if you do they will simply not get advertised to the
>>> client because the code filters them out. This is not just a question of
>>> defaults but whether export ciphers should be available or not.
>>>
>>> The change in question is
>>>
>>> http://svn.apache.org/r1681147
>>>
>>> In the light of the downgrade attacks that were invented I have a
>>> tendency to drop support completely. Other opinions?
>>
>> Hmm. As much as I'd like for EXP ciphers to die forever, I can imagine a
>> use case where the user really *really* needs to use them. Can we offer
>> them the ability to re-enable them? It's okay if it requires a re-build
>> of tcnative to do so.
>>
>> Thanks,
>> -chris
>
> Done in r1681523. I added the configure flag
> --enable-insecure-export-ciphers and ported the feature and flag from
> trunk to 1.1.
>
> If people don't like it I can revert (or rename the switch) but it seems
> you and Mark are OK with that way.
Perfect! Thanks!
-chris
Re: Drop support for EXPORT ciphers in tcnative 1.1?
Posted by Rainer Jung <ra...@kippdata.de>.
Am 24.05.2015 um 20:10 schrieb Christopher Schultz:
> Rainer,
>
> On 5/23/15 12:03 PM, Rainer Jung wrote:
>> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
>> and will also drop it in Apache 2.2 in the soon to be released next
>> version.
>>
>> I applied a similar change to tcnative trunk and would also like to
>> apply it to 1.1.
>
> +1
>
>> Note that "drop support" would mean you can no longer enable export
>> ciphers. Even if you do they will simply not get advertised to the
>> client because the code filters them out. This is not just a question of
>> defaults but whether export ciphers should be available or not.
>>
>> The change in question is
>>
>> http://svn.apache.org/r1681147
>>
>> In the light of the downgrade attacks that were invented I have a
>> tendency to drop support completely. Other opinions?
>
> Hmm. As much as I'd like for EXP ciphers to die forever, I can imagine a
> use case where the user really *really* needs to use them. Can we offer
> them the ability to re-enable them? It's okay if it requires a re-build
> of tcnative to do so.
>
> Thanks,
> -chris
Done in r1681523. I added the configure flag
--enable-insecure-export-ciphers and ported the feature and flag from
trunk to 1.1.
If people don't like it I can revert (or rename the switch) but it seems
you and Mark are OK with that way.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Drop support for EXPORT ciphers in tcnative 1.1?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Rainer,
On 5/23/15 12:03 PM, Rainer Jung wrote:
> mod_ssl dropped support for EXPORT ciphers in Apache 2.4 some time ago
> and will also drop it in Apache 2.2 in the soon to be released next
> version.
>
> I applied a similar change to tcnative trunk and would also like to
> apply it to 1.1.
+1
> Note that "drop support" would mean you can no longer enable export
> ciphers. Even if you do they will simply not get advertised to the
> client because the code filters them out. This is not just a question of
> defaults but whether export ciphers should be available or not.
>
> The change in question is
>
> http://svn.apache.org/r1681147
>
> In the light of the downgrade attacks that were invented I have a
> tendency to drop support completely. Other opinions?
Hmm. As much as I'd like for EXP ciphers to die forever, I can imagine a
use case where the user really *really* needs to use them. Can we offer
them the ability to re-enable them? It's okay if it requires a re-build
of tcnative to do so.
Thanks,
-chris