GNOME Bugzilla – Bug 722755
Remove insecure ciphers or give end users ability to disable
Last modified: 2014-05-26 15:33:02 UTC
Visiting https://howsmyssl.com with dwb/lipsoup earns a "Bad" rating due to the presence of the insecure cipher suite TLS_DHE_DSS_WITH_RC4_128_SHA. Can this cipher suite please be removed from lipsoup, or at the very least give users an easy way to disable it without having to edit source and recompile? Environment: Archlinux x64 | dwb 2013.03.30-2 | libsoup 2.44.2-1
We don't override gnutls's security decisions; they know more about security than we do. If you think that should be removed from the defaults, file a bug with gnutls. In the meantime, you can override the defaults by setting "G_TLS_GNUTLS_PRIORITY=NORMAL:%COMPAT:-ARCFOUR-128" in your environment.
OK, thanks for the quick response and environment setting workaround. I'll open up a ticked with gnutls.
*** Bug 730477 has been marked as a duplicate of this bug. ***
Hi Seth, since this doesn't seem to have been fixed yet, could you post a link to the GnuTLS bug you created? Thanks.
Actually I forgot to file a bug report with GnuTLS so thanks for updating this issue and reminding me to do so. Here's the link: https://savannah.gnu.org/support/index.php?108577
I'm having trouble registering an account on Savannah, or I would respond there, but RC4-128 is not the problem since howsmyssl is fine with both TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5 -- it's only TLS_DHE_DSS_WITH_RC4_128_SHA that they consider problematic.
Turns out this is a bug with howsmyssl.com: https://github.com/jmhodges/howsmyssl/issues/35