-
Notifications
You must be signed in to change notification settings - Fork 7.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
howsmyssl reports Bad due to insecure cipher suites #575
Comments
Would it be as simple as editing |
I feel this should go to espressif/esp-idf instead. |
We have a fix for this coming in IDF (disabling 3DES by default). I've added a link to this issue to the commit so there will be a notification here when it lands in IDF master branch. For the record, the Sweet32 attack which leads to the "Bad" result requires the attacker to capture around 785GB of traffic from a single client session. Which is probably a challenge for most ESP32-based devices! But that's no reason we shouldn't disable it by default (it also saves some code size, which is nice.) |
Since ba929be howsmyssl reports "Probably Okay" which is the highest rating. The latest versions of Firefox and Chrome receive the same rating.
|
* Disables 3DES, Camellia, Blowfish, RC4, RIPEMD160, SSLv3, TLS-PSK modes, DTLS by default * Saves about 40KB from the default TLS client code size * Defaults no longer get "Bad" howsmyssl.com rating (no more vulnerable 3DES) (ping espressif/arduino-esp32#575 ) * Allows up to another 20-30KB code size to be trimmed without security implications if using DER formatted certificates, RSA ciphersuites only, etc. * Can save up to another 8KB by setting the TLS Role to Server or Client only.
Hardware:
Board: Adafruit Huzzah32
Core Installation/update date: 10/Aug/2017
IDE name: Arduino IDE 1.8.2
Flash Frequency: 80Mhz
Upload Speed: 921600
Description:
https://howsmyssl.com reports overall result of Bad due to insecure cipher suites.
Sketch:
Debug Messages:
The text was updated successfully, but these errors were encountered: