thr3ads.net - nsd users - [nsd-users] weak ciphers enabled to remote-control nsd+unbound [Nov 2013]

If this information is useful, please help other people find it:
Share via:

Andreas Schulze

2013-Nov-13 21:07 UTC

[nsd-users] weak ciphers enabled to remote-control nsd+unbound

Hello,

nsd and unbound can be controlled using nsd-control and unbound-control.
SSL is used to ensure privacy and authentication. Although those  
connections are
commonly used at localhost only they are usable over public networks  
by design.

But the server allow weak ciphers. Users have no option to control  
these setting.

# sslscan --no-failed localhost:8952
                    _
            ___ ___| |___  ___ __ _ _ __
           / __/ __| / __|/ __/ _` | '_ \
           \__ \__ \ \__ \ (_| (_| | | | |
           |___/___/_|___/\___\__,_|_| |_|

                   Version 1.8.2
              http://www.titania.co.uk
         Copyright Ian Ventura-Whiting 2009

Testing SSL server localhost on port 8952

   Supported Server Cipher(s):
     Accepted  SSLv3  256 bits  AES256-SHA
     Accepted  SSLv3  128 bits  AES128-SHA
     Accepted  SSLv3  168 bits  DES-CBC3-SHA
     Accepted  SSLv3  56 bits   DES-CBC-SHA
     Accepted  SSLv3  128 bits  RC4-SHA
     Accepted  SSLv3  128 bits  RC4-MD5
     Accepted  TLSv1  256 bits  AES256-SHA
     Accepted  TLSv1  128 bits  AES128-SHA
     Accepted  TLSv1  168 bits  DES-CBC3-SHA
     Accepted  TLSv1  56 bits   DES-CBC-SHA
     Accepted  TLSv1  128 bits  RC4-SHA
     Accepted  TLSv1  128 bits  RC4-MD5

   Prefered Server Cipher(s):
     SSLv3  256 bits  AES256-SHA
     TLSv1  256 bits  AES256-SHA

I suggest to enhance the code to use a fixed cipher and protocol by default
and optional make these settings configurable.

Also DH key exchange would be nice (PFS,  
http://de.wikipedia.org/wiki/Perfect_Forward_Secrecy)

Andreas

Paul Wouters

2013-Nov-13 21:24 UTC

head link

[nsd-users] [Unbound-users] weak ciphers enabled to remote-control nsd+unbound

On Wed, 13 Nov 2013, Andreas Schulze wrote:
> nsd and unbound can be controlled using nsd-control and unbound-control.
> SSL is used to ensure privacy and authentication. Although those
connections
> are
> commonly used at localhost only they are usable over public networks by 
> design.
>
> But the server allow weak ciphers. Users have no option to control these 
> setting.
> I suggest to enhance the code to use a fixed cipher and protocol by default
> and optional make these settings configurable.
>
> Also DH key exchange would be nice (PFS, 
> http://de.wikipedia.org/wiki/Perfect_Forward_Secrecy)
Actually, I suggest we adopt the patch that floated around last year to
allow people to use a pipe when running on localhost, which would be
much simpler then the entire TLS overhead. Keep the TLS for people
who wish to remote control their unbound instances, but I don't think
those are many. Whereas everyone with unbound-control/dnssec-trigger
setups now have to go through the overhead/complexity of TLS.

Paul

nsd users - Nov 2013 - weak ciphers enabled to remote-control nsd+unbound

[nsd-users] weak ciphers enabled to remote-control nsd+unbound

[nsd-users] [Unbound-users] weak ciphers enabled to remote-control nsd+unbound