cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: How to permanently disable ciphers in curl command line.

From: Spork Schivago <sporkschivago_at_gmail.com>
Date: Sun, 17 Jul 2016 14:06:48 -0400

Thank you.

I was more interested in system wide, not so much user wide. I know
certain ciphers are weak and I was trying to harden my system a bit and I
thought if I could prevent users from using weak ciphers all together,
that'd be great. Right now, I'm the only user so maybe just disabling it
in my .curlrc file will be enough.

I also noticed packages are old with this VPS. I have the epel repository
and that provides newer software for certain packages and gives me packages
I don't normally have in my repository, like chkrootkit. The chkrootkit's
latest version is 0.50 and that was released in 2014 I believe. Epel
gives me access to version 0.49 so it's still a bit outdated.

I don't know a lot about CentOS but I'm learning. I see the latest
version of curl is 7.49.1. I'm running 7.19.7. I didn't realize the
latest version of curl in the default repositories was so ancient. I'm
tempted to try enabling this city-fan.org repo to pull in much more recent
versions of stuff like OpenSSL, curl, etc. I found a website describing
how to do this:

https://www.digitalocean.com/community/questions/how-to-upgrade-curl-in-centos6

It's a tough decision though. I'm afraid it might break stuff and because
the server has cPanel / WHM, I can't really setup CentOS 6 on a system at
my home and try it there. I pay GoDaddy 10$ extra a month for the cPanel
/ WHM stuff. If I were to purchase it myself, I'd have to pay around 200$
a year. I don't want to pay that just to set it up on a home system to
see if updating curl / libcurl on CentOS 6 using the city-fan.org repo will
break anything.

In the article, they discuss disabling the repo after installing the newer
version of curl, but I think I'd leave it enabled, so yum can always pull
in the newest versions.

If I knew more about servers and everything, I'd probably just try to get a
static IP address for my home server and run my server from there. I'd
have more access but less bandwidth, because we go through Time Warner for
broadband.

Thanks for the help though guys. I appreciate you taking the time to
answer my questions. I'm sure they're pretty simple questions compared to
what this list normally gets.

On Sun, Jul 17, 2016 at 2:53 AM, Ray Satiro via curl-users <
curl-users_at_cool.haxx.se> wrote:

> On 7/16/2016 6:08 PM, Spork Schivago wrote:
>
>> Is there away to disable it system wide? For example, is there a config
>> file somewheres that curl reads from or something where I can specifically
>> say --ciphers 'ALL:!SHA!:!MD5:!aNULL' so they're never used by default?
>> Or would I have to download the source file and custom build curl and it's
>> library?
>>
>
> Put the cipher list in ~/.curlrc but the format depends which SSL backend
> you are using. For OpenSSL you could use the default cipher selection in
> curl 7.49.1 [1].
>
> cipher = "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
>
> For NSS it's difficult because there's no "ALL". You might be able to do
> something like this:
>
> cipher =
> "ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,dhe_rsa_aes_128_gcm_sha_256,rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_256_sha,ecdhe_rsa_aes_256_sha,dhe_rsa_aes_256_sha,dhe_rsa_aes_256_sha256,dhe_dss_aes_256_sha,rsa_aes_256_sha,aes_256_sha_256,ecdhe_ecdsa_aes_128_sha,ecdhe_rsa_aes_128_sha,dhe_rsa_aes_128_sha,dhe_rsa_aes_128_sha256,dhe_dss_aes_128_sha,rsa_aes_128_sha,aes_128_sha_256,dhe_rsa_3des_sha,dhe_dss_3des_sha,rsa_3des_sha"
>
> But you might not because your curl is so old it may not recognize half
> that (it depends whether the package maintainers are updating the cipher
> list). And if the cipher test result doesn't change or curl returns error
> 56 cipher selection failed then I don't know if it's possible with NSS in
> your version.
>
>
> [1]:
> https://github.com/curl/curl/blob/curl-7_49_1/lib/vtls/openssl.h#L119-L120
>
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-users
> FAQ: https://curl.haxx.se/docs/faq.html
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-07-17