[imp] IE5 export cipher broken-ness.

[Lord Apollyon]

If you're using the Laurie Apache-SSL, shove the following into your
httpsd.conf file (and all SSL virtualhost directives):

SSLRequiredCiphers DH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:\
DES-CBC3-SHA:DES-CBC3-MD5:DHE-DSS-RC4-SHA:\
IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:\
RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:EDH-RSA-DES-CBC-SHA:\
EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:\
EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:\
EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:\
EXP-RC2-CBC-MD5:EXP-RC4-MD5

This selectively disables the buggy EXP1024 ciphers which cause the
56-bit-only IE5s so much grief.  Some solutions I've seen advocated around
the net involve disabling all of SSLv3!!!  *BAD* *STUPID* *LAZY*  Very bad.

Note the "Required" as opposed to "Require" - very different animal - the
"SSLRequire" directive only does gating AFTER the fact, whereas the
SSLRequired directive actually controls the SSL handshake process.  Mind
your d's and q's.

If you're using mod_ssl, your job is easier, just follow the instructions at
the URL I pasted in my last email.

Include the following:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

Also, PAY ATTENTION to the warning about SSL session re-use.  You must use
an SSL session cache to address the last of IE5's sneakier little SSL bugs.

One other thing, for reasons unknown to me - IE ships with TLSv1 support
*DISABLED*. Even recent versions.  I've configured my Horde login to display
a little summary of the encryption details used to connect with colour-coded
keysize and everything. (Anything > 128 is green).  I noticed some
interesting things....

IE always uses 128 bit RC4 SSLv3 and MD5 hashing
Mozilla Firebird uses 128 bit RC4 TLSv1 and MD5
Safari under Mac Oh Sucks uses 168 bit 3DES CBC with SHA1

For grins, I turned on TLSv1 with IE, and things worked fine - with just the
minor change of negotiated cipher/etc.

I've yet to see a browser negotiate for IDEA.  RC4 is by far the fastest of
the ciphers of course.  3DES is nasty (about 1/6th the speed of RC4 in 3DES
CBC mode), and for the purposes of comparing keysizes (this is always
dangerous territory), it's equivalent to 112 bits.  (See the established
cryptographic literature for an explanation.)  Busy SSL servers may wish to
take this into account, though the connection initiation operations are
typically the most expensive part.

Using the Intel 7.1 gloriously-optimising compiler on a P4 shows that Pure C
AES-128 implementations approach Blowfish and RC4 performance levels (for
the OpenSSL 0.9.7b library).  It's within 30%, which is respectable given
the other two have ASM core helpers.  The P4 definitely dislikes misaligned
long-word memory fetch/stash operations, though.  Yikes.

=Apollyon=