Re: SSL: better default ciphersuite

On Sat, Feb 22, 2014 at 08:31:14PM -0500, Peter Eisentraut wrote:
> On 2/2/14, 7:16 AM, Marko Kreen wrote:
> > On Thu, Dec 12, 2013 at 04:32:07PM +0200, Marko Kreen wrote:
> >> Attached patch changes default ciphersuite to HIGH:MEDIUM:+3DES:!aNULL
> >> and also adds documentation about reasoning for it.
> >
> > This is the last pending SSL cleanup related patch:
> >
> > https://commitfest.postgresql.org/action/patch_view?id=1310
> >
> > Peter, you have claimed it as committer, do you see any remaining
> > issues with it?
>
> I'm OK with this change on the principle of clarifying and refining the
> existing default. But after inspecting the expanded cipher list with
> the "openssl cipher" tool, I noticed that the new default re-enabled MD5
> ciphers. Was that intentional?

Yes, kind of. First note that only RC4-MD5 is SSLv3+,
rest are SSLv2-only suites.

There are 2 points relevant about RC4-MD5:

* Main reason MEDIUM was added is to get RC4, for compatibility.

* ALthough MD5 is broken, TLS protocol uses HMAC-MD5 which is not.
So RC4-MD5 is weak suite not because of MD5 but because of RC4.

My conclusion is it's unnecessary to add '!MD5' to MEDIUM as
that would not actually make things more secure. Instead
'MEDIUM' alone is enough to show that user will not get
state-of-the-art-only suites.

--
marko