Enhancement #301: Allow cipher spec setting - Bip - DuckCorp Projects

Enhancement #301

Allow cipher spec setting

Added by Christopher Head almost 11 years ago. Updated over 6 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Pierre-Louis Bonicoli

Target version:

0.9.0

Start date:

2012-08-11

Due date:

% Done:

100%

Estimated time:

Patch Available:

Yes

Found in Versions:

Confirmed:

Yes

Branch:

Security:

Yes

Help Needed:

Description

I want to use an RSA certificate because RSA is more widely supported. However, I want to refuse to use straight-RSA key exchange cipherspecs; I want to only ever use RSA+DHE key exchanges because they add perfect forward secrecy. I can't do that because bip doesn't allow me to enter a cipherspec string restricting what types of cipherspecs to use. Basically I want Apache/mod_ssl's <http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite> in bip. This would also allow the administrator to disable other miscellaneous cipherspecs if they prove to be insecure without having to wait for new versions of software to come out.

Associated revisions

Revision 6691f89c (diff)
Added by Pierre-Louis Bonicoli about 7 years ago

Add cipher specifications setting

Allow to configure cipher specifications for the listening bip
connection and for each outgoing IRC connection.

Closes #301

Revision ab8e5eec (diff)
Added by Pierre-Louis Bonicoli over 6 years ago

Add cipher specifications setting

Allow to configure cipher specifications for the listening bip
connection and for each outgoing IRC connection.

Closes #301

History

Updated by Marian S over 8 years ago

I'd like to push this and I'd think this is not an enhancement but a bug.
Even though bip maybe isn't vulnerable to the SSL 3.0 vulnerability exposed today (poodle), something else can come out any day. And, generally, it is a very good idea to be able to blacklist ciphers/protocols that are no longer in use.
Thus I'd say this deserves a high priority and I'd be very happy to see this implemented!