[nsd-users] weak ciphers enabled to remote-control nsd+unbound
Andreas Schulze
sca at andreasschulze.de
Wed Nov 13 21:07:41 UTC 2013
Hello,
nsd and unbound can be controlled using nsd-control and unbound-control.
SSL is used to ensure privacy and authentication. Although those
connections are
commonly used at localhost only they are usable over public networks
by design.
But the server allow weak ciphers. Users have no option to control
these setting.
# sslscan --no-failed localhost:8952
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server localhost on port 8952
Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Prefered Server Cipher(s):
SSLv3 256 bits AES256-SHA
TLSv1 256 bits AES256-SHA
I suggest to enhance the code to use a fixed cipher and protocol by default
and optional make these settings configurable.
Also DH key exchange would be nice (PFS,
http://de.wikipedia.org/wiki/Perfect_Forward_Secrecy)
Andreas
More information about the nsd-users
mailing list