curl bundled with mavericks includes support for NULL ciphersuites in ClientHello
| Originator: | koziarski | ||
| Number: | rdar://15785040 | Date Originated: | |
| Status: | Open | Resolved: | |
| Product: | OSX | Product Version: | 10.9 |
| Classification: | Security | Reproducible: | Always |
Summary:
The version of curl, and presumably libcurl, bundled with mavericks includes support for insecure ciphersuites in the ClientHello by default. These ciphersuites provide no confidentiality of the communications used.
Ideally the client will only support ciphersuites which provide confidentiality.
Steps to Reproduce:
1. using howsmyssl.com, get a list of the ciphersuites provided in the ClientHello
> curl https://www.howsmyssl.com/a/check
2. Check the resulting json for given_cipher_suites and insecure_cipher_suites
Expected Results:
insecure_cipher_suites should be empty, and the given_cipher_suites list should only contain ciphersuites that provide confidentiality and integrity protection.
Actual Results:
the cipher suites actually include:
"TLS_PSK_WITH_NULL_SHA384",
"TLS_PSK_WITH_NULL_SHA256",
"TLS_PSK_WITH_NULL_SHA",
"TLS_RSA_WITH_NULL_SHA256"
The NULL ciphersuite shouldn't be included by default.
Version:
OSX 10.9.1
Notes:
Configuration:
appears to occur on all computers I have access to which run mavericks
Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!