And here we go again: OpenSSL 0.9.8 users should upgrade to 0.9.8.zb OpenSSL 1.0.0 users should upgrade to 1.0.0n. OpenSSL 1.0.1 users should upgrade to 1.0.1i. https://www.openssl.org/news/secadv_20140806.txt
New OpenVPN for Windows installers available with updated bundled OpenSSL: http://openvpn.net/index.php/download/community-downloads.html
I'd like to know why firefox (who claim our security and privacy is a priorty, *cough* * cough*) doesn't support the stronger cipher suites that opensll does.
Firefox uses openssl so surely the same ciphers should be in it ? Forefox only supports two of the TLSv1.2 cipher suites. Most of the firefox cipher suites are SSLv3 The two TLSv1.2 suites Firefox supports are; security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 The ones missing are all the strongest TLS v1.2 ciphers. At least some of which meet the NSA suite B cryptography standard. openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
I'm not an expert but I think that's incorrect. The removal of SSLv3 support was announced in Oct. 2014 for v. 34. I'm not sure, though, if that removal was delayed as the releasenotes for v. 39 says: And regarding those security.ssl3... entries in about:config Daniel Veditz wrote:
Firefox uses NSS, not OpenSSL The 256 bit AES-GCM ciphers are indeed still missing. Firefox only supports 128 bit AES-GCM with ECDHE_ECDSA and ECDHE_RSA. Chrome(also uses NSS) does support those, but also only 128 bit. They chose not to support plain RSA because it lacks Forward Secrecy and DHE_RSA because a lot of servers are configured with only 1024 bit, though more are switching to 2048 after Logjam. I would encourage people to vote here on adding 256 bit AES-GCM to Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=975832 https://bugzilla.mozilla.org/show_bug.cgi?id=923089 https://bugzilla.mozilla.org/show_bug.cgi?id=973755 Btw, @summerheat is correct on the SSLv3.
Well there is a distinction to be made between the protocol version and the cipher suites. The cipher suites I marked as TLSv1.2 cipher suites are only compatible with TLSv1.2 TLS is backwards compatible with the SSL cipher suites so the cipher suites from SSLv3 work with TLS. Although the Firefox devs implemented TLSv1.2 some time ago they only implemented two of the new TLSv1.2 ciphers the rest of them are all legacy ciphers from SSLv3 and I do not see any legitimate reason for this. I know the preferences in firefox are named SSL regardless of the protocol but the firefox config naming policy is not what I was referring to.
Yes, I agree with that. Though most the rest of the ciphers are not from SSLv3, but TLSv1.0 and extensions for TLSv1.0.
Guess people will just have to start using QUALS SSL Server test: https://dev.ssllabs.com/ssltest/ whenever they want to perform e-commerce activities with a web site. I personally just using the tried and true phone connection more and more for my retail activities.
Yeah, that's great tool. Some results are absolutely horrific in this day and age. I went back to paper for one of my credit cards last year when their support failed to respond to my emails about their using decade-old ciphers and authentication. I've used the card for almost 35 years, so I didn't want to dump 'em altogether. FYI for all: this is a really useful extension for Mozilla browsers. https://github.com/sibiantony/ssleuth