Bug #76929 for IO-Socket-SSL: strengthening server SSL

Tue May 01 18:51:55 2012 d.thomas [...] its.uq.edu.au - Ticket created

Subject:

strengthening server SSL

I recently made use of the SSL Pulse tool to report on some of our https servers. Most of these are apache but I did test Mojolicious which is a perl event-based server making use of IO::Socket::SSL. Before I mention the specific items reported, would it make sense for the IO::Socket::SSL docs to include a section mentioning configuration items that could improve security ? Perhaps one section for client and another for server. It's the latter I'm most interested in. Then again maybe there's some debate about the significance of what they choose to report. Rather than change current defaults or have other authors setting up options, maybe you could add something like: use_more_secure_server_defaults That's if you were happy accepting that responsibility. One advantage of providing such functionality could be if the best options needed to be based on the openssl version/capabilities. So on RHEL5 with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008. perl 5.14.2, IO::Socket::SSL 1.62, Net::SSLeay 1.47, Mojolicious 2.8.5 https://www.ssllabs.com/ssltest/analyze.html?d=mojo-ssl-test.its.uq.edu.au TLS 1.2 No TLS 1.1 No SSL 2.0 INSECURE SSL_RC4_128_EXPORT40_WITH_MD5 (0x20080) WEAK SSL_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080) WEAK SSL_DES_64_CBC_WITH_MD5 (0x60040) WEAK TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK Session resumption No (IDs assigned but not accepted) BEAST attack Vulnerable INSECURE (more info) Secure Renegotiation Supported, with client-initiated renegotiation enabled DoS DANGER (more info) The first 2 slightly reduce the rating but are not considered significant because a lot of deployed software doesn't support versions of TLS past 1.0 The WEAK ciphers were removed by adding this to mojolicious SSL_cipher_list => 'ALL:!LOW:!EXP:!ADH', taken from IO::Socket::SSL docs However attempts to remove SSLv2 by trying things like this in the options mojolicious uses SSL_version => 'SSLv3', SSL_version => 'TLSv1', SSL_version => 'SSLv3 TLSv1', SSL_version => '!SSLv2,SSLv3,TLSv1', # based on OpenSSL docs didn't work. In fact the first 2 resulted in the mojolicious server not responding to https. That could be a problem with that software, but is there some way to be as flexible with SSL_version as openssl itself is, as is the case with SSL_cipher_list ? If that was the case you could use something like SSL_version => '-ALL -SSLv2 +SSLv3 +TLSv1' However I think Session resumption BEAST attack Secure Renegotiation need low-level access and I'm not sure Net::SSLeay provides all of these, e.g. BEAST mitigation requires the server to use it's cipher order rather than what client offers.

Wed May 02 19:45:34 2012 d.thomas [...] its.uq.edu.au - Correspondence added

From:

d.thomas [...] its.uq.edu.au

Show quoted text

> However I think > Session resumption

just to show my ignorance, on apache this becomes enabled by SSLSessionCache shm:/var/tmp/ssl_gcache_data(512000) which allows the processes to share SSL session info. So this is really something in the application rather than SSL

Mon May 07 05:45:22 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Show quoted text

> However attempts to remove SSLv2 by trying things like this > in the options mojolicious uses > SSL_version => 'SSLv3', > SSL_version => 'TLSv1', > SSL_version => 'SSLv3 TLSv1', > SSL_version => '!SSLv2,SSLv3,TLSv1', # based on OpenSSL docs > didn't work. In fact the first 2 resulted in the mojolicious > server not responding to https. That could be a problem with > that software, but is there some way to be as flexible with > SSL_version as openssl itself is, as is the case with > SSL_cipher_list ? > If that was the case you could use something like > SSL_version => '-ALL -SSLv2 +SSLv3 +TLSv1'

they key is to use SSL_cipher_list. I made the default for 1.67 now to ALL:!LOW which gives me a good picture with SSL pulse. Show quoted text

> BEAST attack

I've added a new configuration key SSL_honor_cipher_order which can be used to mitigate BEAST attack. Example is in the documentation. Show quoted text

> Session resumption > Secure Renegotiation

I will look into these later

Mon May 07 05:45:23 2012 The RT System itself - Status changed from 'new' to 'open'

Mon May 07 07:31:10 2012 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

On Mon May 07 05:45:22 2012, SULLR wrote: Show quoted text

>

> > However attempts to remove SSLv2 by trying things like this > > in the options mojolicious uses > > SSL_version => 'SSLv3', > > SSL_version => 'TLSv1', > > SSL_version => 'SSLv3 TLSv1', > > SSL_version => '!SSLv2,SSLv3,TLSv1', # based on OpenSSL docs > > didn't work. In fact the first 2 resulted in the mojolicious > > server not responding to https. That could be a problem with > > that software, but is there some way to be as flexible with > > SSL_version as openssl itself is, as is the case with > > SSL_cipher_list ? > > If that was the case you could use something like > > SSL_version => '-ALL -SSLv2 +SSLv3 +TLSv1'

> > they key is to use SSL_cipher_list. > I made the default for 1.67 now to ALL:!LOW which gives me a good > picture with SSL pulse.

The changes in 1.67 appear to have broken t/dhe.t and t/npn.t with openssl 1.0.1 (attached build log is with 1.0.1b).

Subject:

build.log

Message body is not shown because it is too large.

Mon May 07 09:03:37 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Show quoted text

> > The changes in 1.67 appear to have broken t/dhe.t and t/npn.t with > openssl 1.0.1 (attached build log is with 1.0.1b).

Thanks for reporting. After disabling SSLv2 in default cipher list also it seems to work again.

Mon May 07 14:54:19 2012 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

On Mon May 07 09:03:37 2012, SULLR wrote: Show quoted text

> > The changes in 1.67 appear to have broken t/dhe.t and t/npn.t with > > openssl 1.0.1 (attached build log is with 1.0.1b).

> > Thanks for reporting. > After disabling SSLv2 in default cipher list also it seems to work again.

t/dhe.t still not working but restoring the fix from RT#75165 (attached) fixes it for me.

Subject:

IO-Socket-SSL-1.68-dhe.patch

--- t/dhe.t +++ t/dhe.t @@ -32,6 +32,11 @@ SSL_cert_file => "certs/server-rsa384-dh.pem", SSL_key_file => "certs/server-rsa384-dh.pem", SSL_dh_file => "certs/server-rsa384-dh.pem", + # openssl 1.0.1(beta2) complains about the rsa key too small, unless + # we explicitly set version to tlsv1 or sslv3 + # unfortunatly the workaround fails for older openssl versions :( + (Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x10001000) + ? ( SSL_version => 'tlsv1' ):() ) || do { notok($!); exit

Mon May 07 15:11:28 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Mon, 7 May 2012 21:11:12 +0200
To:	"paul [...] city-fan.org via RT" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Show quoted text

> > Thanks for reporting. > > After disabling SSLv2 in default cipher list also it seems to work again.

> > t/dhe.t still not working but restoring the fix from RT#75165 (attached) > fixes it for me.

strange. But this fix seems to make problems for others, so I was happy to get rid of it. It looks like that it depends somehow on the openssl built options. I did a built on linux with default settings and it works for me (openssl 1.01 release), what are your settings? Regards, Steffen

Mon May 07 15:43:50 2012 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

On Mon May 07 15:11:28 2012, SULLR wrote: Show quoted text

> > > Thanks for reporting. > > > After disabling SSLv2 in default cipher list also it seems to work

> again.

> > > > t/dhe.t still not working but restoring the fix from RT#75165

> (attached)

> > fixes it for me.

> > strange. > But this fix seems to make problems for others, so I was happy to get > rid of it. > It looks like that it depends somehow on the openssl built options. > I did a built on linux with default settings and it works for me > (openssl 1.01 release), what are your settings?

It's the Fedora Rawhide build, whcih is quite heavily patched: http://pkgs.fedoraproject.org/gitweb/?p=openssl.git;a=tree (the build process is contained in the openssl.spec file). Here's the ciphers list: $ openssl ciphers DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5

Mon May 07 17:28:10 2012 d.thomas [...] its.uq.edu.au - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Mon, 7 May 2012 21:27:56 +0000
To:	"<bug-IO-Socket-SSL [...] rt.cpan.org>" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Danny Thomas <d.thomas [...] its.uq.edu.au>

have just tried 1.68 On 07/05/2012, at 7:45 PM, Steffen Ullrich via RT wrote: Show quoted text

>> BEAST attack

> > I've added a new configuration key SSL_honor_cipher_order which can be > used to mitigate BEAST attack. Example is in the documentation.

works for me the example for SSL_honor_cipher_order SSL_cipher_list => 'RC4-SHA:ALL:!ADH:!LOW', I think this is OK but it's better to put the negated items first so they can never get used Previously reported that setting SSL_version did not work. It's possible this happened because the cipher list at that time did not include any ciphers the protocol could use. Show quoted text

>v1.68 2012.05.07 >- remove SSLv2 from default cipher list

Currently not setting SSL_version still seems to have SSLv2 enabled as reported by SSL Pulse SSL 2.0 Yes N (*) N next to protocol version means the protocol has no cipher suites enabled NB in this case the "N" comes from the list suggested by our local expert explicitly excluding SSLv2 ciphers '!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!LOW:RC4-SHA:RC4-MD5:ALL' SSLv2 disappears completely from the report when I use SSL_version => 'SSLv3', but that also means TLSv1.0 not offered which decreases score by 5, see my posting https://community.qualys.com/message/14184 and in any case for now I would like SSLv3 AND TLSv1.0. thanks Danny FYI from the author of Net::SSLeay Show quoted text

>> and Secure Renegotiation with Net::SSLeay, because I have >> another app that uses those features.

> > how do you do that, i.e. disable client-initiated renegotiation

There are a few options that are relevant: SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION

Tue May 08 02:05:51 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Tue, 8 May 2012 08:05:25 +0200
To:	"d.thomas [...] its.uq.edu.au via RT" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Show quoted text

> the example for SSL_honor_cipher_order > SSL_cipher_list => 'RC4-SHA:ALL:!ADH:!LOW', > I think this is OK but it's better to put the negated > items first so they can never get used

If I understand http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS right the order does not matter for the "!" modifier. Otherwise things like ALL:!LOW would not work (but they do). Show quoted text

> Previously reported that setting SSL_version did not > work. It's possible this happened because the cipher > list at that time did not include any ciphers the > protocol could use.

SSL_version is not the same as SSL_cipher_list and can not be a combination of multiple versions, so only SSLv3, SSLv2 or TLSv1 can be specified (this is documented this way). All what it does is to create an SSL_context so that it will only speak the specified version and nothing else, see http://www.openssl.org/docs/ssl/SSL_CTX_new.html Show quoted text

> >v1.68 2012.05.07 > >- remove SSLv2 from default cipher list

> Currently not setting SSL_version still seems to > have SSLv2 enabled as reported by SSL Pulse > SSL 2.0 Yes N > (*) N next to protocol version means the protocol has no cipher suites enabled

I don't get this with my tests, I get "SSL 2.0 No", but "SSL 2.0+ upgrade support YES". I don't know why you get something else, maybe it depends on the used openssl version. Show quoted text

> > NB in this case the "N" comes from the list suggested > by our local expert explicitly excluding SSLv2 ciphers > '!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!LOW:RC4-SHA:RC4-MD5:ALL' > > > SSLv2 disappears completely from the report when I use > SSL_version => 'SSLv3', > but that also means TLSv1.0 not offered which decreases > score by 5, see my posting > https://community.qualys.com/message/14184 > and in any case for now I would like SSLv3 AND TLSv1.0.

SSLv2 is more than just ciphers. I think it is quite common to be able to speak the SSLv2 base protocol but don't offer SSLv2 ciphers and then upgrade the protocol. This is "SSL 2.0+ upgrade support" and even sslabs.com itself offers it. But yes, SSL isn't easy to understand and the OpenSSL documentation might profite from improvements too :) Regards, Steffen

Tue May 08 03:09:32 2012 d.thomas [...] its.uq.edu.au - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Tue, 8 May 2012 07:09:06 +0000
To:	"<bug-IO-Socket-SSL [...] rt.cpan.org>" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Danny Thomas <d.thomas [...] its.uq.edu.au>

On 08/05/2012, at 4:05 PM, Steffen Ullrich via RT wrote: Show quoted text

> If I understand http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS > right the order does not matter for the "!" modifier. Otherwise things > like ALL:!LOW would not work (but they do).

I thought wrong Show quoted text

> SSL_version is not the same as SSL_cipher_list and can not be > a combination of multiple versions, so only SSLv3, SSLv2 or > TLSv1 can be specified (this is documented this way). > All what it does is to create an SSL_context so that it will only > speak the specified version and nothing else, see > http://www.openssl.org/docs/ssl/SSL_CTX_new.html

I had noticed the regex being used to choose a context so couldn't understand how you'd be able to support multiple protocols. Things make a bit more sense now http://www.openssl.org/docs/ssl/SSL_CTX_new.html ------------------------------------------------ SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) A TLS/SSL connection established with these methods will understand the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages and will indicate that it also understands SSLv3 and TLSv1. A server will understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best choice when compatibility is a concern. The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the SSL_CTX_set_options() or SSL_set_options() functions. Using these options it is possible to choose e.g. SSLv23_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like SSLv3 or TLSv1. ------------------------------------------------ so I think we want to keep the default SSLv23_method for SSL_version but apply CTX_set_options(SSL_OP_NO_SSLv2) similar to what was just added Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL()); if ( $arg_hash->{SSL_honor_cipher_order} ) { Net::SSLeay::CTX_set_options($ctx, 0x00400000); } but not sure how that would appear in API Show quoted text

>>> v1.68 2012.05.07 >>> - remove SSLv2 from default cipher list

>> Currently not setting SSL_version still seems to >> have SSLv2 enabled as reported by SSL Pulse >> SSL 2.0 Yes N >> (*) N next to protocol version means the protocol has no cipher suites enabled

> > I don't get this with my tests, I get "SSL 2.0 No", but > "SSL 2.0+ upgrade support YES". > I don't know why you get something else, maybe it depends on > the used openssl version.

could be but that's another reason I want to be sure I'm really disabling SSLv2 Show quoted text

> SSLv2 is more than just ciphers. > I think it is quite common to be able to speak the SSLv2 base > protocol but don't offer SSLv2 ciphers and then upgrade the > protocol. This is "SSL 2.0+ upgrade support" and even sslabs.com > itself offers it.

excluding the SSLv2 ciphers when supporting SSLv2 protocol is treated by ssllabs as being safe. I think this is useful when you can't be sure you've disabled the SSLv2 protocol Danny

Tue May 08 04:25:58 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Tue, 8 May 2012 10:25:31 +0200
To:	"paul [...] city-fan.org via RT" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Show quoted text

> > > > > > t/dhe.t still not working but restoring the fix from RT#75165

> > (attached)

> > > fixes it for me.

I've reenabled the fix in 1.69. Thanks, Steffen

Tue May 08 05:24:02 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Tue, 8 May 2012 11:23:41 +0200
To:	"d.thomas [...] its.uq.edu.au via RT" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Show quoted text

> so I think we want to keep the default SSLv23_method for SSL_version > but apply > CTX_set_options(SSL_OP_NO_SSLv2) > similar to what was just added > Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL()); > if ( $arg_hash->{SSL_honor_cipher_order} ) { > Net::SSLeay::CTX_set_options($ctx, 0x00400000); > } > > but not sure how that would appear in API

with 1.70 you should now be able to set SSL_version to 'SSLv23:!SSLv2' (which is now the default), so that it can talk SSLv2, SSLv3 and TLSv1 during the initial handshake but will not commit to SSLv2, so that the peer needs to speak SSLv3 or TLSv1.

Tue May 08 13:32:58 2012 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

On Tue May 08 04:25:58 2012, SULLR wrote: Show quoted text

> > > > > > > > t/dhe.t still not working but restoring the fix from RT#75165

> > > (attached)

> > > > fixes it for me.

> > I've reenabled the fix in 1.69.

Works for me, thanks (1.70 too).

Tue May 08 19:03:44 2012 d.thomas [...] its.uq.edu.au - Correspondence added

CC:	"behroozi [...] www.pls.uni.edu" <behroozi [...] www.pls.uni.edu>
Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Tue, 8 May 2012 23:03:28 +0000
To:	"<bug-IO-Socket-SSL [...] rt.cpan.org>" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Danny Thomas <d.thomas [...] its.uq.edu.au>

On 08/05/2012, at 7:24 PM, Steffen Ullrich via RT wrote: Show quoted text

> with 1.70 you should now be able to set SSL_version to 'SSLv23:!SSLv2' > (which is now the default), so that it can talk SSLv2, SSLv3 and TLSv1 > during the initial handshake but will not commit to SSLv2, so that the > peer needs to speak SSLv3 or TLSv1.

just tried 1.70 out of box reported SSL v2.0 Yes N BEAST vulnerable adding these to Mojolicious SSL_version => 'SSLv23:!SSLv2', SSL_cipher_list => '!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!LOW:RC4-SHA:RC4-MD5:ALL', SSL_honor_cipher_order => 1, only removed BEAST vulnerability (as well as adding 2 extra ciphers) however SSLv2 was disabled by changing Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL() & ! $disable_ver ); to Net::SSLeay::CTX_set_options($ctx, 0x01000000); or Net::SSLeay::CTX_set_options($ctx, $disable_ver ) if $disable_ver; Danny Show quoted text

> I don't know why you get something else, maybe it depends on > the used openssl version.

also some people, probably an increasing number, build openssl without SSLv2 at all. I doubt that's the case on RHEL5 unless RedHat did this in a patch.

Wed May 09 04:42:16 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Wed, 9 May 2012 10:41:54 +0200
To:	"d.thomas [...] its.uq.edu.au via RT" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Hi, issue should be fixed with 1.71. I tested it was various OpenSSL versions. Show quoted text

> just tried 1.70 > > out of box reported > SSL v2.0 Yes N > BEAST vulnerable

Wed May 09 17:22:42 2012 d.thomas [...] its.uq.edu.au - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Wed, 9 May 2012 21:22:21 +0000
To:	"<bug-IO-Socket-SSL [...] rt.cpan.org>" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Danny Thomas <d.thomas [...] its.uq.edu.au>

On 09/05/2012, at 6:42 PM, Steffen Ullrich via RT wrote: Show quoted text

> issue should be fixed with 1.71.

unfortunately not let's see exactly what options are set --------------------------------------------------- open my $fh99, ">/tmp/ctx.options" or die "ctx.options $!"; printf $fh99 "after context init: options 0x%08x\n", Net::SSLeay::CTX_get_options($ctx); Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL() | $disable_ver ); printf $fh99 "after disable_ver: options 0x%08x\n", Net::SSLeay::CTX_get_options($ctx); if ( $arg_hash->{SSL_honor_cipher_order} ) { Net::SSLeay::CTX_set_options($ctx, 0x00400000); } printf $fh99 "after (possible) SSL_honor_cipher_order: options 0x%08x\n", Net::SSLeay::CTX_get_options($ctx); close $fh99; straight 1.71, Mojolicious uses its default options --------------------------------------------------- after context init: options 0x00000004 SSL_OP_LEGACY_SERVER_CONNECT after disable_ver: options 0x01000ff7 SSL_OP_ALL - SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, i.e. SSL_OP_MICROSOFT_SESS_ID_BUG SSL_OP_NETSCAPE_CHALLENGE_BUG SSL_OP_LEGACY_SERVER_CONNECT SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER SSL_OP_MSIE_SSLV2_RSA_PADDING SSL_OP_SSLEAY_080_CLIENT_DH_BUG SSL_OP_TLS_D5_BUG SSL_OP_TLS_BLOCK_PADDING_BUG SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SSLv2 after (possible) SSL_honor_cipher_order: options 0x01000ff7 <no-change> SSL Pulse reports TLS 1.0: Yes (just FYI) SSL 3.0: Yes (just FYI) SSL 2.0: No BEAST attack: Vulnerable The vulnerability happens because there are no RC4 ciphers from use constant DEFAULT_CIPHER_LIST => 'HIGH:!LOW'; at least in RHEL5 openssl. The report lists 3 ciphers all of them CBC which are the ones vulnerable; RC4 must be there & first TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA set SSL_honor_cipher_order in Mojolicious --------------------------------------------------- after context init: options 0x00000004 <as-originally> after disable_ver: options 0x01000ff7 <as-originally> after (possible) SSL_honor_cipher_order: options 0x01400ff7 +SSL_OP_CIPHER_SERVER_PREFERENCE SSL Pulse reports TLS 1.0: Yes (just FYI) SSL 3.0: Yes (just FYI) SSL 2.0: No BEAST attack: Vulnerable set SSL_honor_cipher_order in Mojolicious from https://community.qualys.com/message/12570 DEFAULT_CIPHER_LIST => 'RC4-SHA:HIGH:!ADH'; --------------------------------------------------- after context init: options 0x00000004 <as-originally> after disable_ver: options 0x01000ff7 <as-originally> after (possible) SSL_honor_cipher_order: options 0x01400ff7 +SSL_OP_CIPHER_SERVER_PREFERENCE SSL Pulse reports TLS 1.0: Yes (just FYI) SSL 3.0: Yes (just FYI) SSL 2.0: No BEAST attack: Not vulnerable The report now lists 4 ciphers TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA now disable SSL_honor_cipher_order in Mojolicious from https://community.qualys.com/message/12570 DEFAULT_CIPHER_LIST => 'RC4-SHA:HIGH:!ADH'; --------------------------------------------------- after context init: options 0x00000004 <as-originally> after disable_ver: options 0x01000ff7 <as-originally> after (possible) SSL_honor_cipher_order: options 0x01000ff7 <as-originally> SSL Pulse reports TLS 1.0: Yes (just FYI) SSL 3.0: Yes (just FYI) SSL 2.0: No BEAST attack: Vulnerable The report still lists 4 ciphers, but "server has no preference" TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA just for the fun of it, let's try disabling TLSv1.0 set SSL_honor_cipher_order in Mojolicious DEFAULT_CIPHER_LIST => 'RC4-SHA:HIGH:!ADH'; SSL_version => 'SSLv23:!TLSv1', (set in Mojolicious) --------------------------------------------------- after context init: options 0x00000004 <as-originally> after disable_ver: options 0x04000ff7 SSL_OP_NO_TLSv1 SSL_OP_ALL - SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG after (possible) SSL_honor_cipher_order: options 0x04400ff7 +SSL_OP_CIPHER_SERVER_PREFERENCE SSL Pulse reports TLS 1.0: No SSL 3.0: Yes (just FYI) SSL 2.0: Yes BEAST attack: Vulnerable set SSL_honor_cipher_order in Mojolicious DEFAULT_CIPHER_LIST => 'RC4-SHA:HIGH:!ADH'; replace Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL() | $disable_ver ); by Net::SSLeay::CTX_set_options($ctx, $disable_ver ) if $disable_ver; --------------------------------------------------- after context init: options 0x00000004 <as-originally> after disable_ver: options 0x01000004 SSL_OP_LEGACY_SERVER_CONNECT SSL_OP_NO_SSLv2 after (possible) SSL_honor_cipher_order: options 0x01400004 +SSL_OP_CIPHER_SERVER_PREFERENCE SSL Pulse reports TLS 1.0: Yes (just FYI) SSL 3.0: Yes (just FYI) SSL 2.0: No BEAST attack: Not vulnerable That one-line change removes these options (which don't sound good) SSL_OP_MICROSOFT_SESS_ID_BUG SSL_OP_NETSCAPE_CHALLENGE_BUG SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER SSL_OP_MSIE_SSLV2_RSA_PADDING SSL_OP_SSLEAY_080_CLIENT_DH_BUG SSL_OP_TLS_D5_BUG SSL_OP_TLS_BLOCK_PADDING_BUG SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Thu May 10 01:39:45 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Thu, 10 May 2012 07:39:20 +0200
To:	"d.thomas [...] its.uq.edu.au via RT" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

On Wed, May 09, 2012 at 05:22:43PM -0400, "d.thomas@its.uq.edu.au via RT" <bug-IO-Socket-SSL@rt.cpan.org> wrote: Show quoted text

> Queue: IO-Socket-SSL > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=76929 > > > > On 09/05/2012, at 6:42 PM, Steffen Ullrich via RT wrote: >

> > issue should be fixed with 1.71.

> unfortunately not

I ment the issue with not disabling SSLv2, which was fixed: Show quoted text

> after disable_ver: options 0x01000ff7 > ... > SSL_OP_NO_SSLv2

Show quoted text

> set SSL_honor_cipher_order in Mojolicious > DEFAULT_CIPHER_LIST => 'RC4-SHA:HIGH:!ADH'; > replace > Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL() | $disable_ver ); > by > Net::SSLeay::CTX_set_options($ctx, $disable_ver ) if $disable_ver;

The BEAST attack will not be protected against by default (but it is documented in SSL.pm how to protect yourself), and I better still use all the workarounds included in Net::SSLeay::OP_ALL. While it would be nice to throw all the legacy stuff and workarounds over board it would probably break some systems, which is not what I want. I think disabling SSLv2 and weak ciphers is necessary (newer openssl versions have SSLv2 disabled by default), but everything else might have unintended consequences. As for taming the BEAST: not everyone likes RC4 and some might have it disabled. In this case the workaround would just cause connection failures, and other workarounds needs to be used. See http://www.net-security.org/article.php?id=1638. Therefore I don't like the workaround included by default. Regards, Steffen

Thu May 10 14:56:31 2012 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

On Tue May 08 13:32:58 2012, paul@city-fan.org wrote: Show quoted text

> On Tue May 08 04:25:58 2012, SULLR wrote:

> > > > > > > > > > t/dhe.t still not working but restoring the fix from RT#75165

> > > > (attached)

> > > > > fixes it for me.

> > > > I've reenabled the fix in 1.69.

> > Works for me, thanks (1.70 too).

t/dhe.t is failing for me with 1.72 on a small range of openssl versions. Symptoms are: t/dhe......................1..3 ok # [server] Server Initialization not ok # [client] connect failed: IO::Socket::INET6 configuration failed error:00000000:lib(0):func(0):reason(0) not ok # [server] accept failed: SSL connect accept failed because of handshake problems error:00000000:lib(0):func(0):reason(0) FAILED tests 2-3 Failed 2/3 tests, 33.33% okay 0.9.7f PASSES 0.9.8a FAILS 0.9.8b FAILS 0.9.8g PASSES Unfortunately I don't have any other versions between 0.9.7f and 0.9.8g to test with. 1.71 passes in all of these environments.

Fri May 11 01:57:11 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #76929] strengthening server SSL
Date:	Fri, 11 May 2012 07:56:45 +0200
To:	"paul [...] city-fan.org via RT" <bug-IO-Socket-SSL [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Show quoted text

> 0.9.8a FAILS > 0.9.8b FAILS

which Net::SSLeay versions did you use in this cases? The latest Net::SSLeay fails some tests if I try to use it with 0.9.8b on x64_86. And 0.9.8k passes for me the tests. Or can you give me access to a system using this old version or link me to an image or OS, which I can run/install in a VM, which uses this version? Regards, Steffen

Fri May 11 06:36:59 2012 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

On Fri May 11 01:57:11 2012, SULLR wrote: Show quoted text

> > 0.9.8a FAILS > > 0.9.8b FAILS

> > which Net::SSLeay versions did you use in this cases? > The latest Net::SSLeay fails some tests if I try to use it with 0.9.8b > on x64_86. And 0.9.8k passes for me the tests.

I've been building with 1.48 (latest) on x86_64 but I got the same result with 1.30. I also got the same result building on i386 and when using IO::Socket::INET instead of IO::Socket::INET6. Show quoted text

> Or can you give me access to a system using this old version or link > me to an image or OS, which I can run/install in a VM, which uses this > version?

I do my builds in a chroot'ed build environment. The target OS releases with the problems are Fedora releases 5, 6, 7 and 8. Older and newer releases all work OK. I've also done builds on CentOS 5, which is of a similar age to these builds and uses OpenSSL 0.9.8e and that works OK. If you have IPv6 connectivity I can give you a shell on my build machine and tell you how to run builds. It's possible to poke around the chroot environment and try things for debugging purposes.

Fri Nov 30 02:48:48 2012 Steffen_Ullrich [...] genua.de - Correspondence added

I think the problem should be closed now. There are sane defaults and better documentation

Fri Nov 30 02:48:49 2012 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'