Friday, February 24, 2017

OpenSSL cipher suite without forward secrecy

Firstly, you should not use this in normal use.

Sometimes, you might need to debug a problem that occurs behind TLS.

Wireshark can decode TLS traffic, given the session keys, or if forward secrecy ciphers was not used, the private key.

In the case of web traffic, SSLKEYLOGFILE can tell NSS, used by some browsers to log the keys. This is a better method than the one described here, but it is not an option if other clients are used, say in the case of SMTP.

An (OpenSSL) ciphersuite setting that excludes ciphers providing forward secrecy, while keeping strong ciphers is:
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DHE:!ECDHE:!EDH:!EECDH

This should be avoided in production and should only be used for debugging.

No comments: