Maintained by: NLnet Labs

[Unbound-users] weak ciphers enabled to remote-control nsd+unbound

Andreas Schulze
Wed Nov 13 22:07:41 CET 2013


Hello,

nsd and unbound can be controlled using nsd-control and unbound-control.
SSL is used to ensure privacy and authentication. Although those  
connections are
commonly used at localhost only they are usable over public networks  
by design.

But the server allow weak ciphers. Users have no option to control  
these setting.

# sslscan --no-failed localhost:8952
                    _
            ___ ___| |___  ___ __ _ _ __
           / __/ __| / __|/ __/ _` | '_ \
           \__ \__ \ \__ \ (_| (_| | | | |
           |___/___/_|___/\___\__,_|_| |_|

                   Version 1.8.2
              http://www.titania.co.uk
         Copyright Ian Ventura-Whiting 2009

Testing SSL server localhost on port 8952

   Supported Server Cipher(s):
     Accepted  SSLv3  256 bits  AES256-SHA
     Accepted  SSLv3  128 bits  AES128-SHA
     Accepted  SSLv3  168 bits  DES-CBC3-SHA
     Accepted  SSLv3  56 bits   DES-CBC-SHA
     Accepted  SSLv3  128 bits  RC4-SHA
     Accepted  SSLv3  128 bits  RC4-MD5
     Accepted  TLSv1  256 bits  AES256-SHA
     Accepted  TLSv1  128 bits  AES128-SHA
     Accepted  TLSv1  168 bits  DES-CBC3-SHA
     Accepted  TLSv1  56 bits   DES-CBC-SHA
     Accepted  TLSv1  128 bits  RC4-SHA
     Accepted  TLSv1  128 bits  RC4-MD5

   Prefered Server Cipher(s):
     SSLv3  256 bits  AES256-SHA
     TLSv1  256 bits  AES256-SHA

I suggest to enhance the code to use a fixed cipher and protocol by default
and optional make these settings configurable.

Also DH key exchange would be nice (PFS,  
http://de.wikipedia.org/wiki/Perfect_Forward_Secrecy)

Andreas