Allow cipher spec setting
I want to use an RSA certificate because RSA is more widely supported. However, I want to refuse to use straight-RSA key exchange cipherspecs; I want to only ever use RSA+DHE key exchanges because they add perfect forward secrecy. I can't do that because bip doesn't allow me to enter a cipherspec string restricting what types of cipherspecs to use. Basically I want Apache/mod_ssl's <http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite> in bip. This would also allow the administrator to disable other miscellaneous cipherspecs if they prove to be insecure without having to wait for new versions of software to come out.
Updated by Marian S over 9 years ago
I'd like to push this and I'd think this is not an enhancement but a bug.
Even though bip maybe isn't vulnerable to the SSL 3.0 vulnerability exposed today (poodle), something else can come out any day. And, generally, it is a very good idea to be able to blacklist ciphers/protocols that are no longer in use.
Thus I'd say this deserves a high priority and I'd be very happy to see this implemented!
Updated by Pierre-Louis Bonicoli almost 8 years ago
- Status changed from Resolved to In Progress
- Assignee set to Pierre-Louis Bonicoli
- Target version set to 0.9.0
- % Done changed from 100 to 50
- Patch Available changed from No to Yes
- Confirmed changed from No to Yes
Test in progress: see 6691f89c382fd32d2511166fd95af4f7f964d36a.