Removed CBC ciphers to address CVE-2013-0169 (LUCKY13) #1051
Conversation
|
If there is anything I can do in the PR for the failing CircleCI tests test-3.8 and test-3.9, let me know. Update: Force-pushing the PR helped. |
Details: * This change removes the following CBC ciphers from the default set of ciphers in order to address CVE-2013-0169 (LUCKY13): - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 This is done by listing them in the code, i.e. without any way to configure that by the user. Signed-off-by: Andreas Maier <maiera@de.ibm.com>
andy-maier
force-pushed
the
andy/remove-cbc-ciphers
branch
from
f685b3b
to
a4b1305
Compare
There was a problem hiding this comment.
I don't love this library needing to worry about ciphers and keeping up to date with them. I think I would be ok with providing functionality to allow a user to specify the list of ciphers they want to support, but even that is getting into the territory where they should consider just standing up their own HTTP server instead of the lightweight one we provide.
|
@csmarchbanks I know. I don't like it either, but the big advantage of the provided HTTP server is that it is built-in, simple to use, and it works great, even for our exporters that can have large amounts of metrics. And I think you don't need to worry about checking for such things yourself, as users will bring it up, and may even fix it, like in this PR. |
Details:
This change removes the following CBC ciphers from the default set of ciphers in order to address CVE-2013-0169 (LUCKY13):
This is done by listing them in the code, i.e. without any way to configure that by the user.
The LUCKY13 vulnerability was discovered using the testssl.sh tool. See also drwetter/testssl.sh#2537