cipher specification cleanup
problem
Simmilar to https://python-nbxmpp.gajim.org/ticket/9 the eNULL
settings is not necessary default cipher config.
The 3DES cipher in HIGH cipher list is very old and slow when compared for example with AES. It can be safely removed for XTLS, see discussion here: https://www.mail-archive.com/openssl-users@openssl.org/msg72557.html
analysis
remove eNULL from cipher specification and disable 3DES for XTLS
enhancement recommendation
diff -r 052948aee9c9 src/common/config.py
--- a/src/common/config.py Mon Dec 16 13:20:06 2013 +0100
+++ b/src/common/config.py Wed Dec 18 18:17:19 2013 +0100
@@ -349,7 +349,7 @@
'enable_esessions': [opt_bool, True, _('Enable ESessions encryption for this account.')],
'autonegotiate_esessions': [opt_bool, True, _('Should Gajim automatically start an encrypted session when possible?')],
'connection_types': [ opt_str, 'tls ssl plain', _('Ordered list (space separated) of connection type to try. Can contain tls, ssl or plain')],
- 'cipher_list': [ opt_str, 'HIGH:!aNULL:!eNULL:RC4-SHA', '' ],
+ 'cipher_list': [ opt_str, 'HIGH:!aNULL:RC4-SHA', '' ],
'action_when_plaintext_connection': [ opt_str, 'warn', _('Show a warning dialog before sending password on an plaintext connection. Can be \'warn\', \'connect\', \'disconnect\'') ],
'warn_when_insecure_ssl_connection': [ opt_bool, True, _('Show a warning dialog before using standard SSL library.') ],
'warn_when_insecure_password': [ opt_bool, True, _('Show a warning dialog before sending PLAIN password over a plain connection.') ],
diff -r 052948aee9c9 src/common/jingle_xtls.py
--- a/src/common/jingle_xtls.py Mon Dec 16 13:20:06 2013 +0100
+++ b/src/common/jingle_xtls.py Wed Dec 18 18:17:19 2013 +0100
@@ -101,7 +101,7 @@
ctx = SSL.Context(SSL.SSLv23_METHOD)
flags = (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_SINGLE_DH_USE)
ctx.set_options(flags)
- ctx.set_cipher_list('HIGH:!aNULL:!eNULL')
+ ctx.set_cipher_list('HIGH:!aNULL:!3DES')
if fingerprint == 'server': # for testing purposes only
ctx.set_verify(SSL.VERIFY_NONE|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,