[From nobody Thu Jun 25 05:54:45 2020 Received: from sonic301-4.consmr.mail.bf2.yahoo.com ([74.6.129.43]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fj894-00081W-EI for openwrt-devel@lists.openwrt.org; Fri, 27 Jul 2018 19:11:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1532718670; bh=k1I52Bj5Iu4A4L3TSk7c0GdqL699P1ofdIuD7KWWwys=; h=From:To:Cc:Subject:Date:From:Subject; b=gBJVk0OxATSsEfNMA1f63iFVV/DX0K//z/pyvPuSgFgxOCy8Qom1Lz3QFSqspZWZTZkXJtu1A0+/ZC2y46cLkZUaER0NZaOCcMarNGeQcOvs5lrbOQ3nbzkOvmCguADCddOvse5aRQJokOvOC0rh44KTSIVSxCnHPg5qWxGr1Z7TcpD9JiUxyVAlzaXNBSWUOAxjbyx4t6pjYQaXwumi4jG66dNUNEP5a318TzPOiOV4TqV5i/NeYC4QPk0nGSheKJy9yp9R/CgklQW4yc3lNC5vcCumDFWKg+W7SUs5GMRLOImhqJWoKxZJUvjSy36tvphHZo8soCahdHN4Wb32tA== X-YMail-OSG: .ZgCZPcVM1nRFz40_ZkwGLBbUyZIiW7xYRNByvSWSmuYJvayLOmDaHAZxAv9X4Z XYFdfTFasZJJFi89sQojYti4xbM0JK9XNjybOKbPa3iwEAvfVOUCr0Wxd.yPju2uCZnORJdVT.HX waHW1CRe.dXryJ48BlbR30QsNWlW11v.Z6W5GmkkJ0aBL7.CfXADRhWaoZB1tk4UzfyVyqd1OwJv ToWihu1X5a.KRpDMkkF2DVKnAqyZb0MjMCZwf9U_eSVNVGlHPEhWjGTR1IQrgXsSggWJWjuXf0sX cY3W7._czFkSdkSd4rRwhhWp2zBuYlqj.ibKIgHnUavvyUlQGBEpPgp6eLzJDzktamUJA2Gdhqvl XzXqXpGZ76usJlB0SgHkGH4J9aD3txGInUrvJmV98T9tcxyoKYc_V5JL_ELBTxszZk5eEsZubU.z ClGGDLF5SQfTxZPPrVAxb93_k7mISwctAd9412wUI4lrrL.QWfmo8.i61ko3J0XqrF5T6mmXXS57 Y._jKjWiTMbW6zWG_9EuAqg4SowJgmX7nojs02iBSbw5XoaDVJN8bbX5Oe8UBHXwNeLhpwAfxfWl 4eE4fRdXkR_qNLtTNAFW.a2XUWJ1PV4XcEfQlElrJuWHkf0l3AhOcla1j1Benf1DjwqwXubijtSy McC1TBNGciP05lEEkmpoUxmhEFMdx0qdaSWbnHl1TrnzlYqAZzVHEphntuDjVRr19bBOki2UR8Sn 2Io0xOHgSyJKE7agDz1WBR8yWseZTTbQmI6xnUvfaZq4fxBmJdSwIcoWnhAQHqiksQkyS_qRTSwY Q1Qn_QrNpmuAfhZo8Uc7vbx3Z3x.UniXVM7k0_vcU9OHOI.QpjGe0NkcVo_uUTeXTN04N8C2tMH. oPLgaVK4cB9.ez78wGkkkw3YfNMPinNhdl191deVLq8GrPekOv7Ms5Dgtq0b2ajx6HUai4ZApbAg xl1hAUfcB_9KdWH8LTVLkbPjGDUIy4VXvMg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.bf2.yahoo.com with HTTP; Fri, 27 Jul 2018 19:11:10 +0000 Received: from 18.175.75.177.infopasa.com.br (EHLO gateway.troianet.com.br) ([177.75.175.18]) by smtp423.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 544a94327268fd5815776de5221668b9; Fri, 27 Jul 2018 19:11:07 +0000 (UTC) From: Eneas U de Queiroz <cote2004-github@yahoo.com> To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz <cote2004-github@yahoo.com> Subject: [PATCH 0/1] ustream-ssl: uniform ciphersuite list Date: Fri, 27 Jul 2018 16:10:19 -0300 Message-Id: <20180727191020.18634-1-cote2004-github@yahoo.com> X-Mailer: git-send-email 2.16.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180727_121122_548408_1C8CC626 X-CRM114-Status: UNSURE ( 2.90 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.1 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.6.129.43 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (cote2004-github[at]yahoo.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature This patch enhances security in openssl and wolfssl, to match those used in mbedtls, and fixes selection of TLS protocol in wolfssl. WolfSSL was not honoring protocol selection using SSL_CTX_set_options, so TLSv1_2_server_method needs to be used instead. Here's the ciphersuite ordering being used: - key exchange: prefer ECDHE, then DHE(client only), then RSA - prefer AEAD ciphers: chacha20-poly1305, the fastest in software, 256-bits aes128-gcm, 128-bits aes256-gcm, 256-bits - CBC ciphers aes128, aes256, 3DES(client only) This list is already being used with mbedtls (minus chacha cipher that is not available). Note that the wolfssl does not understand some of openssl chiper list directives that were previously used , such as !RC4 to remove RC4 suites, or @STRENGTH, to order them by strength. Eneas U de Queiroz (1): openssl, wolfssl: match mbedTLS ciphersuite list ustream-openssl.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 54 insertions(+), 6 deletions(-) -- 2.16.4 ]