Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS-TLS Vulnerability(s) #1384

Closed
iganeshk opened this issue Jan 30, 2020 · 4 comments
Closed

DNS-TLS Vulnerability(s) #1384

iganeshk opened this issue Jan 30, 2020 · 4 comments
Assignees
@szolin
Labels
bug P3: Medium
Milestone
v0.102

Comments

@iganeshk
Copy link

Issue Details

So I ran the https://github.com/drwetter/testssl.sh tool against the DNS-o-TLS port (853).

  • Version of AdGuard Home server:
    • v0.100.9
  • How did you setup DNS configuration:
    • System (Server)
  • Operating system and version:
    • Debian Buster

Vulnerabilities Information

SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers
LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches

LUCKY13 could be ignored?

Additional Information

Shouldn't be offering:

Triple DES Ciphers / IDEA                     offered
Obsolete: SEED + 128+256 Bit CBC cipher       offered

Possibility to have OSCP Stapling?

OCSP stapling                not offered
@ameshkov
Copy link
Member

Possibility to have OSCP Stapling?

Yeah, that's possible, but this should be a separate feature request.

@ameshkov ameshkov added this to the v0.102 milestone Jan 30, 2020
@EugeneOne1 EugeneOne1 mentioned this issue Apr 21, 2021
Closed
@RainmakerRaw RainmakerRaw mentioned this issue Nov 2, 2021
Open
@xDazld
Copy link

xDazld commented Mar 24, 2022

With v0.107.5 installed from Snapcraft, testssl is still throwing the same warning. Can this be double checked?

Output from testssl 
Testing protocols via sockets except NPN+ALPN 

SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      not offered
TLS 1.1    not offered
TLS 1.2    offered (OK)
TLS 1.3    offered (OK): final
NPN/SPDY   not offered
ALPN/HTTP2 not offered

Testing cipher categories 

NULL ciphers (no encryption)                  not offered (OK)
Anonymous NULL Ciphers (no authentication)    not offered (OK)
Export ciphers (w/o ADH+NULL)                 not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
Triple DES Ciphers / IDEA                     offered
Obsolete CBC ciphers (AES, ARIA etc.)         offered
Strong encryption (AEAD ciphers)              offered (OK)


Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA
                             ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA 
Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 


Testing server preferences 

Has server cipher order?     no (NOT ok)
Negotiated protocol          TLSv1.3
Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) (limited sense as client will pick)
Negotiated cipher per proto  (limited sense as client will pick)
    ECDHE-RSA-AES256-GCM-SHA384:   TLSv1.2
    TLS_AES_256_GCM_SHA384:        TLSv1.3
No further cipher order check has been done as order is determined by the client


Testing server defaults (Server Hello) 

TLS extensions (standard)    "session ticket/#35" "renegotiation info/#65281" "EC point formats/#11" "supported versions/#43" "key share/#51"
Session Ticket RFC 5077 hint 604800 seconds but: PFS requires session ticket keys to be rotated < daily !
SSL Session ID support       yes
Session Resumption           Tickets: yes, ID: yes
TLS clock skew               Random values, no fingerprinting possible 
Signature Algorithm          SHA256 with RSA
Server key size              RSA 4096 bits
Server key usage             Digital Signature, Key Encipherment
Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
Serial                       redacted (OK: length 18)
Fingerprints                 SHA1 redacted
                             SHA256 redacted
Common Name (CN)             redacted 
subjectAltName (SAN)         redacted 
Issuer                       R3 (Let's Encrypt from US)
Trust (hostname)             Ok via SAN (same w/o SNI)
Chain of trust               Ok   
EV cert (experimental)       no 
ETS/"eTLS", visibility info  not present
Certificate Validity (UTC)   redacted
# of certificates provided   2
Certificate Revocation List  --
OCSP URI                     http://r3.o.lencr.org
OCSP stapling                not offered
OCSP must staple extension   --
DNS CAA RR (experimental)    available - please check for match with "Issuer" above: issue=letsencrypt.org
Certificate Transparency     yes (certificate extension)


Testing vulnerabilities 

Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224)                       not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment.  --   (applicable only for HTTPS)
ROBOT                                     not vulnerable (OK)
Secure Renegotiation (RFC 5746)           supported (OK)
Secure Client-Initiated Renegotiation     not vulnerable (OK)
CRIME, TLS (CVE-2012-4929)                not vulnerable (OK) (not using HTTP anyway)
POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers
FREAK (CVE-2015-0204)                     not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                          make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                          https://censys.io/ipv4?q=redacted could help you to find out
LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                             
x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                             
xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
xc012   ECDHE-RSA-DES-CBC3-SHA            ECDH 253   3DES        168      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA                
x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      

Could not determine the protocol, only simulating generic clients.

Running client simulations via sockets 

Android 4.4.2                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 521 bit ECDH (P-521)
Android 5.0.0                TLSv1.2 ECDHE-RSA-AES256-SHA, 521 bit ECDH (P-521)
Android 6.0                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Android 7.0 (native)         TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Android 8.1 (native)         TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
Android 9.0 (native)         TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
Android 10.0 (native)        TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
Chrome 74 (Win 10)           TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
Chrome 79 (Win 10)           TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
Firefox 66 (Win 8.1/10)      TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
Firefox 71 (Win 10)          TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
IE 6 XP                      No connection
IE 8 Win 7                   No connection
IE 8 XP                      No connection
IE 11 Win 7                  TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win 8.1                TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1          TLSv1.2 AES128-SHA, No FS
IE 11 Win 10                 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 15 Win 10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
Edge 17 (Win 10)             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
Opera 66 (Win 10)            TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
Safari 9 iOS 9               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 9 OS X 10.11          TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 10 OS X 10.12         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 12.1 (iOS 12.2)       TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 253 bit ECDH (X25519)
Safari 13.0 (macOS 10.14.6)  TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 253 bit ECDH (X25519)
Apple ATS 9 iOS 9            TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Java 6u45                    No connection
Java 7u25                    No connection
Java 8u161                   TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Java 11.0.2 (OpenJDK)        TLSv1.3 TLS_AES_128_GCM_SHA256, 256 bit ECDH (P-256)
Java 12.0.1 (OpenJDK)        TLSv1.3 TLS_AES_128_GCM_SHA256, 256 bit ECDH (P-256)
OpenSSL 1.0.2e               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
OpenSSL 1.1.0l (Debian)      TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
OpenSSL 1.1.1d (Debian)      TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Thunderbird (68.3)           TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)

@ainar-g
Copy link
Contributor

ainar-g commented Mar 25, 2022

@xDazld, iirc, both SWEET32 and LUCKY13 have mitigations in Go stdlib. We've completely excluded all CBC ciphers in v0.108 betas, which is a breaking change (and thus will be released in the next “zero-major” version), but it resolves those completely.

@xDazld
Copy link

xDazld commented Mar 25, 2022

Got it, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@szolin szolin

Labels
bug P3: Medium
Projects
None yet
Milestone
v0.102
Development

No branches or pull requests
5 participants
@ainar-g @ameshkov @iganeshk @xDazld @szolin