[Gluster-devel] Logjam

[Jeff Darcy]

> > We already exclude CBC, because of the POODLE attack, and that leaves us
> > with 32 ciphers.  Excluding DH as well leaves us with only four.
> > 
> >   AES256-GCM-SHA384
> >   AES256-SHA256
> >   AES128-GCM-SHA256
> >   AES128-SHA256
> 
> Why are ECDH ciphers missing? That list has no cipher featuring PFS,
> that looks really bad.

I guess my filter was too restrictive.  If we allow ECDH but not DH or ADH,
we're at 20.  That seems like a small set.

> My understanding of POODLE is that CBC ciphers are fine, you just need
> to reject the SSLv3 protocol.

As I'm sure you know, security often involves multiple layers.  At the
time, the OpenSSL method table we used was still one that would allow
fallback to SSLv3.  We hadn't yet decided to preclude that, but it
didn't seem wise to leave such systems vulnerable to POODLE either.
Since that attack is specifically against CBC modes with SSLv3, the
defaults were changed to exclude those modes.  Now that we don't allow
SSLv3 at all, it would probably be safe to change those defaults.  As
it turns out, that doesn't increase the number of available ciphers at
all.  We're still at 20.

> > This doesn't seem particularly hard, or at least it wouldn't be if we
> > didn't have to account for every RHEL version and associated OpenSSL
> > version going back ten years.
> 
> The function calls I proposed are used in Apache and Sendmail without
> any OpenSSLversion ifdef.

That's a nice change from the last couple of times we've tried to change
anything related to OpenSSL.