[SailfishDevel] Sailfish HTTPS / SSL default cipher list

Kari Pihkala kari.pihkala at gmail.com
Wed Oct 16 16:25:09 UTC 2013


Hi Sailors!

After reading about the weak cipher list used in latest Android devices
[ http://op-co.de/blog/posts/android_ssl_downgrade/ ], I decided to check
how Sailfish looks like.

Fortunately, the native QML apps seem to use strong ciphers as the default
ciphers, at least in the emulator.

However, I can't test Sailfish/Jolla Android emulator, because I don't have
access to it. It would be great if someone who has access to it could
ensure that its cipher list doesn't have weak ciphers as default ciphers.
We don't want pirates to attack our connections :)

Here's my results from Sailfish SDK alpha, Android 2.2 and 4.2.2 emulator.
I run the emulators with simple apps which took https connections and at
the same time I run ssldump to see the cipher list. My ssldump version is
0.9b3 (Ubuntu 12.04) and it can't recognize all ciphers, but the unknown
values can be found at
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml - I
have expanded some of them to the ssldumps.

> ssldump -i wlan0 -p 80

Sailfish SDK alpha, QML hello world app with this code:
            IconButton {
               icon.source: "https://www.google.com/images/srpr/logo4w.png"
               onClicked: console.log("Google!!!")
            }

        cipher suites
        Unknown value 0xa3 [TLS_DHE_DSS_WITH_AES_256_GCM_SHA384]
        Unknown value 0x9f [TLS_DHE_RSA_WITH_AES_256_GCM_SHA384]
        Unknown value 0x6b [TLS_DHE_RSA_WITH_AES_256_CBC_SHA256]
        Unknown value 0x6a [TLS_DHE_DSS_WITH_AES_256_CBC_SHA256]
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        Unknown value 0x88
        Unknown value 0x87
        Unknown value 0x9d
        Unknown value 0x3d
        TLS_RSA_WITH_AES_256_CBC_SHA
        Unknown value 0x84
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xa2
        Unknown value 0x9e
        TLS_DHE_DSS_WITH_NULL_SHA
        Unknown value 0x40
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0x9a
        Unknown value 0x99
        Unknown value 0x45
        Unknown value 0x44
        Unknown value 0x9c
        Unknown value 0x3c
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0x96
        Unknown value 0x41
        TLS_RSA_WITH_IDEA_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        Unknown value 0xff

Android 2.2 emulator
        cipher suites
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        Unknown value 0xff

Android 4.2.2 emulator
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5 !!!!BAD!!!
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        Unknown value 0xc002
        Unknown value 0xc004
        Unknown value 0xc005
        Unknown value 0xc00c
        Unknown value 0xc00e
        Unknown value 0xc00f
        Unknown value 0xc007
        Unknown value 0xc009
        Unknown value 0xc00a
        Unknown value 0xc011
        Unknown value 0xc013
        Unknown value 0xc014
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc003
        Unknown value 0xc00d
        Unknown value 0xc008
        Unknown value 0xc012
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        Unknown value 0xff

Firefox 21 (just to show how it looks like)
        cipher suites
        Unknown value 0xff [TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
        Unknown value 0xc00a [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA]
        Unknown value 0xc014 [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
        Unknown value 0x88 [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA]
        Unknown value 0x87 [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA]
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        Unknown value 0xc00f
        Unknown value 0xc005
        Unknown value 0x84
        TLS_RSA_WITH_AES_256_CBC_SHA
        Unknown value 0xc007
        Unknown value 0xc009
        Unknown value 0xc011
        Unknown value 0xc013
        Unknown value 0x45
        Unknown value 0x44
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0xc00c
        Unknown value 0xc00e
        Unknown value 0xc002
        Unknown value 0xc004
        Unknown value 0x96
        Unknown value 0x41
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0xc008
        Unknown value 0xc012
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        Unknown value 0xfeff
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.sailfishos.org/pipermail/devel/attachments/20131016/3e525bd7/attachment.html>


More information about the Devel mailing list