[PATCH] Disable Anonymous ECDH ciphersuites by default

António P. P. Almeida appa at perusio.net
Tue Jun 14 16:04:18 MSD 2011


On 14 Jun 2011 09h58 WEST, rob.stradling at comodo.com wrote:




> !ADH to exclude the Anonymous DH ciphersuites.  With OpenSSL-0.x,
> this has the effect of disabling all ciphersuites that offer no
> authentication.  However, OpenSSL-1.x adds support for Anonymous
> ECDH ciphersuites, and these are not disabled by !ADH.
>
> !aNULL is the appropriate cipher string for disabling all anonymous
> ciphersuites.  [1] observes that anonymous ciphersuites 'are
> vulnerable to a "man in the middle'' attack and so their use is
> normally discouraged.'
>
> Trivial patch attached.
>
> Apache httpd just committed a patch for the same issue [2].
>
> [1] http://www.openssl.org/docs/apps/ciphers.html
> [2] https://issues.apache.org/bugzilla/show_bug.cgi?id=51363
>
> Rob Stradling Senior Research & Development Scientist COMODO -
> Creating Trust Online [2 disable_aecdh.patch <text/x-patch; UTF-8
> (7bit)>] diff -ur nginx-1.0.4/conf/nginx.conf
> nginx-1.0.4-defaultcipher/conf/nginx.conf
> --- nginx-1.0.4/conf/nginx.conf	2009-04-06 14:43:46.000000000 +0100
> +++ nginx-1.0.4-defaultcipher/conf/nginx.conf	2011-06-14 09:36:25.250146709 +0100
> @@ -106,7 +106,7 @@
> #    ssl_session_timeout  5m;
>
> #    ssl_protocols  SSLv2 SSLv3 TLSv1;
> -    #    ssl_ciphers
>      #    ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
> +    #    ssl_ciphers  ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
> #    ssl_prefer_server_ciphers   on;
>
> #    location / {
> diff -ur nginx-1.0.4/src/http/modules/ngx_http_ssl_module.c
> nginx-1.0.4-defaultcipher/src/http/modules/ngx_http_ssl_module.c
> --- nginx-1.0.4/src/http/modules/ngx_http_ssl_module.c	2010-05-14 10:56:37.000000000 +0100
> +++ nginx-1.0.4-defaultcipher/src/http/modules/ngx_http_ssl_module.c	2011-06-14 09:33:42.085994902 +0100
> @@ -13,7 +13,7 @@
> ngx_pool_t *pool, ngx_str_t *s);
>
>
> -#define NGX_DEFAULT_CIPHERS  "HIGH:!ADH:!MD5"
> +#define NGX_DEFAULT_CIPHERS  "HIGH:!aNULL:!MD5"
>
>
> static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,


Shouldn't there be some sort of check for the OpenSSH version?

#if OPENSSL_VERSION_NUMBER >= 0x100000000

  (after 1.x code)  

#else

  (before 1.x code)

#endif

If I understood correctly this is something that appeared in 1.x. not
existing in 0.9.x.

Is it so?

--- appa



More information about the nginx-devel mailing list