[Gluster-devel] Logjam

Emmanuel Dreyfus manu at netbsd.org
Tue May 26 23:29:48 UTC 2015


Jeff Darcy <jdarcy at redhat.com> wrote:

> We already exclude CBC, because of the POODLE attack, and that leaves us
> with 32 ciphers.  Excluding DH as well leaves us with only four.
> 
>   AES256-GCM-SHA384
>   AES256-SHA256
>   AES128-GCM-SHA256
>   AES128-SHA256

Why are ECDH ciphers missing? That list has no cipher featuring PFS,
that looks really bad. 

My understanding of POODLE is that CBC ciphers are fine, you just need
to reject the SSLv3 protocol.

> This doesn't seem particularly hard, or at least it wouldn't be if we
> didn't have to account for every RHEL version and associated OpenSSL
> version going back ten years.

The function calls I proposed are used in Apache and Sendmail without
any OpenSSLversion ifdef.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu at netbsd.org


More information about the Gluster-devel mailing list