update infrastructure deployment to solve: Insecure ciphers are accepted by https://leastauthority.com #92

Closed
daira opened this Issue Aug 15, 2013 · 55 comments

Projects

None yet

9 participants

@daira
Member
daira commented Aug 15, 2013

The default cipher list allows single-DES.

@daira daira was assigned Aug 15, 2013
@daira
Member
daira commented Aug 15, 2013

I can modify the list (see the https://github.com/LeastAuthority/leastauthority.com/commits/92-improve-cipher-list branch), but I'm still having trouble finding a list that will make the SSLlabs checker (or more importantly, me), happy. Part of the problem is that we're not setting the SSL_OP_CIPHER_SERVER_PREFERENCE flag, so the server is not enforcing that GCM and/or forward-secrecy ciphersuites are used where possible.

GCM is: https://en.wikipedia.org/wiki/Galois/Counter_Mode

@daira
Member
daira commented Aug 15, 2013

BTW, note that the SSLlabs checker gives wrong results if you change the config and re-test the website without clicking "Clear cache".

SSLlabs is: https://www.ssllabs.com/ssltest/analyze.html?d=leastauthority.com

@zookoatleastauthoritycom

I like these results:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

This is from nginx with this config:

ssl_session_cache shared:SSL:100m;
ssl_session_timeout 10000m;

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=100000;

server {
server_name zooko.com;

ssl_certificate_key /etc/ssl/private/zooko.com.key;
ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA;

listen 443 default ssl;

rewrite ^ https://LeastAuthority.com redirect;
}

@daira
Member
daira commented Aug 15, 2013

For some reason the Twisted server is not offering DHE ciphersuites even though I include them in the list. I'll try adding ECDHE_RSA, but I'm not hopeful that it won't have the same problem. Also IE8 on XP spoils everything by being unmitigated crap :-p

@daira
Member
daira commented Aug 15, 2013

Oh, pyOpenSSL does expose SSL_CTX_set_options, so we should be able to set SSL_OP_CIPHER_SERVER_PREFERENCE.

@zooko
Contributor
zooko commented Aug 15, 2013

I found http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx which says that IE 8 on Windows XP could do TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA . I updated zooko.com's nginx config to add EDH-DSS-DES-CBC3-SHA at the end of its list, but ssllabs.com's simulated IE8-WinXP client did not use it. Then I added "DES-CBC3-SHA", and ssllabs.com's simulated IE8-WinXP client went from:

"""
IE 8 / XP No FS * Fail**

  • Browsers that do not support Forward Secrecy are excluded when determining support for it.
    ** Only first connection attempt simulated. Browsers are likely to retry with a lower protocol version or other tweaks.
    """

To:

"""
IE 8 / XP No FS * TLS 1.0 SSL_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
"""

Therefore, my new nginx/openssl config is:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA;

@daira
Member
daira commented Aug 16, 2013

No-one uses EDH, those suites can safely be ignored.

@daira
Member
daira commented Aug 16, 2013

I did get SSL_OP_CIPHER_SERVER_PREFERENCE working on phi, but at the point I left off to do my visa preparation, we weren't successfully offering any DHE or ECDHE ciphersuites because (I think) the [EC]DH parameters had not been loaded.

@zookoatleastauthoritycom

Per Daira's comment about EDH, I removed "EDH-DSS-DES-CBC3-SHA", leaving me with:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA;

ssllabs's test (which they've been updating, so it will give different answers today than it would have given at the beginning of this issue), currently says this about my config (at zooko.com):

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where used)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128

Handshake Simulation
Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128

  • Browsers that do not support Forward Secrecy are excluded when determining support for it.
    ** Only first connection attempt simulated. Browsers are likely to retry with a lower protocol version or other tweaks.

Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initated Renegotiation No
BEAST attack Not mitigated server-side (more info) TLS 1.0: 0xc013
TLS compression No
RC4 No
Forward Secrecy Yes (with most browsers) ROBUST (more info)
Next Protocol Negotiation Yes http/1.1
Session resumption Yes
Session tickets Yes
OCSP stapling No
Strict Transport Security Yes max-age=100000
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes

@zancas
Contributor
zancas commented Oct 15, 2013

Have you committed this change to a branch? If so which? I've been
linking all of my commits to deliverables in my standup log.

On Mon, Oct 14, 2013 at 4:01 PM, zookoatleastauthoritycom <
notifications@github.com> wrote:

Per Daira's comment about EDH, I removed "EDH-DSS-DES-CBC3-SHA", leaving
me with:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA;

ssllabs's test (which they've been updating, so it will give different
answers today than it would have given at the beginning of this issue),
currently says this about my config (at zooko.com):

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites
where used)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits
RSA) FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128

Handshake Simulation
Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS
128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS
128

IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS
128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS
128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(0xc027) FS 128

  • Browsers that do not support Forward Secrecy are excluded when
    determining support for it. ** Only first connection attempt simulated.
    Browsers are likely to retry with a lower protocol version or other tweaks.

Protocol Details
Secure Renegotiation Supported

Secure Client-Initiated Renegotiation No

Insecure Client-Initated Renegotiation No

BEAST attack Not mitigated server-side (more info) TLS 1.0: 0xc013
TLS compression No

RC4 No

Forward Secrecy Yes (with most browsers) ROBUST (more info)

Next Protocol Negotiation Yes http/1.1
Session resumption Yes
Session tickets Yes
OCSP stapling No

Strict Transport Security Yes max-age=100000

Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes


Reply to this email directly or view it on GitHubhttps://github.com/LeastAuthority/leastauthority.com/issues/92#issuecomment-26292572
.

-- ظ

@zookoatleastauthoritycom

That's a change to the configuration of the web server running on zooko.com.

@zookoatleastauthoritycom

lvh posted on https://twistedmatrix.com/trac/ticket/6663#comment:31 about ciphers suggested by Mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS

I tried the config they suggested and asked https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com what would be the result with a bunch of simulated clients.

With my config (ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA), ssllabs said:

Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128

With Mozilla's config, ssllabs said the same thing, except with this diff:

-IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
+IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS 128

So the only practical difference known to ssllabs's simulator is that withg Mozilla's config, IE 8 / XP would choose RC4 instead of 3DES. This seems like a really bad idea to me. As far as I know 3DES is very strong, and is, along with AES, one of the two best-studied ciphers in all of human history. In contrast, RC4 is weak, and recent discoveries have shown it to be even weaker (as it is used in TLS) than earlier believed.

Seems like a pretty bad choice for Mozilla to recommend it over 3DES…

@daira
Member
daira commented Oct 17, 2013

Does IE 8 / XP do client-side mitigation of BEAST?

@daira
Member
daira commented Oct 17, 2013

Does IE 8 / XP do client-side mitigation of BEAST?

No, because 1/n-1 record splitting (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c59) was only proposed in August 2011. IE8 was released in 2009.

@zooko
Contributor
zooko commented Oct 24, 2013

I posted the following comment to the mozilla bug (https://bugzilla.mozilla.org/show_bug.cgi?id=927045):

For what it is worth, the qualys ssllabs handshake simulator has been upgraded to add Bing, GoogleBot, Yahoo, and a few other things:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

Also, I tweaked my config for zooko.com, leaving the ciphers string intact as I earlier reported ("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA"), but I tweaked my config by adding SSLv3 to the set of supported protocols, which was previously only TLSv1, TLSv1.1, and TLSv1.2. By adding SSLv3 to the set of supported protocols, the only change on the ssllabs handshake simulator was that IE6/XP became able to connect to zooko.com. (Obligatory link to Microsoft's "PLEASE STOP USING IE6" site: http://www.ie6countdown.com/ .)

@zooko
Contributor
zooko commented Oct 24, 2013

For what it is worth, I've been persuaded by Adam Langley and Nick Matthewson that GCM is hard to implement in a timing-leak-safe way, and I've decided that SHA-1 is just as good as SHA-256 when used in HMAC, so I tweaked my config string to this:

ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DES-CBC3-SHA

@ivanr
ivanr commented Oct 24, 2013

In response to the question about IE8 on Windows XP: On Microsoft platforms, the 1/n-1 split is in Schannel, not in browsers. IIRC, the issue was patched on Windows XP too. It should not matter that IE8 predates BEAST.

@zooko
Contributor
zooko commented Oct 25, 2013

Here is a detailed recipe of someone configuring Twisted web to do better ciphers:

https://github.com/oberstet/scratchbox/blob/master/python/twisted/tips/AAA_TLS.md

@zooko
Contributor
zooko commented Oct 25, 2013

In my latest experiment with cipher selection, I've decided I don't really like or need GCM nor HMAC-SHA256. Also the TLS analyzer seems to be telling me that it doesn't even recognize the ECDSA options: ECDHE-ECDSA-AES128-SHA and DHE-ECDSA-AES128-SHA. Also I've decided that I don't really like ECDSA.

So my config string can be this very simple thing:

ssl_ciphers ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA;

The TLS handshake simulator shows that this works with all the clients it simulates:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

Bing Oct 2013   TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Chrome 30 / Win 7   TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 10.0.12 ESR / Win 7     TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 17.0.7 ESR / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 21 / Fedora 19  TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Firefox 24 / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Googlebot Oct 2013  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 6 / XP   No FS *     SSL 3   TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS     168
IE 7 / Vista    TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 8 / XP   No FS *     TLS 1.0     TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS     168
IE 8-10 / Win 7     TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 11 / Win 8.1     TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Java 6u45   TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Java 7u25   TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
OpenSSL 0.9.8y  TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
OpenSSL 1.0.1e  TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Opera 17 / Win 7    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 5.1.9 / OS X 10.6.8  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 6 / iOS 6.0.1    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 6.0.4 / OS X 10.8.4  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 7 / OS X 10.9    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Tor 17.0.9 / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Yahoo Slurp Oct 2013    TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128 
@daira
Member
daira commented Oct 28, 2013

Zooko, why don't you like GCM? GCM is the right way (rather than the hacky and still-could-be-vulnerable-to-the-next-clever-idea way) to fix the CBC issues.

@zookoatleastauthoritycom

GCM is apparently hard to implement in a constant-time design.

Adam Langley: https://www.imperialviolet.org/2013/10/07/chacha20.html

Nick Mathewson: "GCM, which is also hard to do in a side-channel-free way in software" — https://lists.torproject.org/pipermail/tor-talk/2013-September/029937.html

See also Matt Green and Colin Percival on AEAD and side-channel (timing) issues: http://blog.cryptographyengineering.com/2011/12/matt-green-smackdown-watch-are-aead.html

@daira
Member
daira commented Oct 29, 2013

Emilia Käsper, Peter Schwabe
Faster and Timing-Attack Resistant AES-GCM
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
2009
Slides at http://www.chesworkshop.org/ches2009/presentations/01_Session_1/CHES2009_ekasper.pdf

(I agree this doesn't contradict Zooko's and Nick's statements that AES-GCM is hard to implement in constant time, but it is at least possible, and not prohibitively inefficient.)

@daira
Member
daira commented Oct 30, 2013

Also note that Niels Ferguson's main attack doesn't materially affect the use of GCM in TLS (where the nonce is always 96 bits and the tag always 128 bits).

@zooko
Contributor
zooko commented Oct 30, 2013

Also, TLS's CBC+HMAC isn't that perfectly easy to implement in constant time, either! http://blog.cryptographyengineering.com/2013/02/attack-of-week-tls-timing-oracles.html

But, I still think that the current TLS CBC+HMAC implementations are more likely to be better at this than the current GCM implementations. I could be wrong about that — I haven't checked!

@zookoatleastauthoritycom

This has been fixed in Twisted trunk, but not yet in a new Twisted release: https://twistedmatrix.com/trac/ticket/6663

@dreid
dreid commented May 27, 2014

https://tm.tl/6663 was in the Twisted 14.0 release.

@daira
Member
daira commented May 27, 2014

What exactly has been fixed? The only remaining problem on this ticket was getting forward secrecy working; not the general problem of setting the ciphersuite list (which is trivial without any changes to Twisted).

@zancas zancas added this to the ResetTheNetRelease milestone May 30, 2014
@daira daira was unassigned by zancas May 30, 2014
@zookoatleastauthoritycom zookoatleastauthoritycom removed this from the ResetTheNetRelease milestone Jun 4, 2014
@zookoatleastauthoritycom

https://www.ssllabs.com/ssltest/analyze.html?d=leastauthority.com says:

  • This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO »
  • Certificate uses SHA1. When renewing, ensure you upgrade to SHA256. MORE INFO »
  • The server does not support Forward Secrecy with the reference browsers. MORE INFO »
  • SSL 3 INSECURE Yes
  • TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
  • TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
@david415 david415 self-assigned this Dec 4, 2014
@david415
Member
david415 commented Dec 4, 2014

OK... I figured out how to disable SSL 3... so that mitigates the POODLE attack.
Here on my branch:
https://github.com/david415/leastauthority.com/commits/david-92-improve-cipher-list

in this commit:
david415@7262e99

I have not tested this. I require a test "environment"; fqdn, certificate and server to test this out...
From the Qualys report it looks like there's a few more things to fix.

I feel like my progress would be faster with a test env.
It looks like the next step is to get forward secrecy working... is my understanding correct?

@david415
Member
david415 commented Dec 4, 2014

11:22 < dawuud> looks like according to the twisted docs: """it is necessary to pass an instance of DiffieHellmanParameters to CertificateOptions via the dhParameters option to be able to use them"""
---> https://twistedmatrix.com/documents/current/core/howto/ssl.html#tls-protocol-options

However leastauthority.com/lae_site/main.py uses DefaultOpenSSLContextFactory...
so this might mean that we are supposed to set the factory instance's "options" attribute to the CertificateOptions instance.

see here -->
https://stackoverflow.com/questions/26145252/twisted-python-using-ssl-certificateoptions-when-switching-from-plain-text-to-s

oh hey that idea is probably silly; according to the source code CertificateOptions is in fact a SSL context factory!
https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/_sslverify.py#L1177

So all we have to do is stop using DefaultOpenSSLContextFactory and replace it's use with CertificateOptions instance that is setup properly with the DiffieHellmanParameters and such.

Also it's interesting to note that there appears to be an alternate way to select cipher suites:
https://twistedmatrix.com/documents/14.0.2/api/twisted.internet.interfaces.IAcceptableCiphers.html

@daira
Member
daira commented Dec 9, 2014

This is what I did to install Twisted 14.0.2 and pyOpenSSL 0.14:

sudo pip install twisted
# undo apt-get installation of twisted
sudo dpkg -r python-twisted python-twisted-core python-twisted-conch python-twisted-mail \
  python-twisted-lore python-twisted-names python-twisted-news python-twisted-runner \
  python-twisted-web python-twisted-words python-nevow python-foolscap landscape-client landscape-common
sudo sed --in-place=bak 's/[.]use_certificate_file[(]/.use_certificate_chain_file(/g' \
  $(python -c 'import twisted, os; print os.path.dirname(twisted.__file__)')/internet/ssl.py
sudo pip install foolscap
sudo pip install service_identity
sudo dpkg -r python-openssl
sudo apt-get install libffi-dev libssl1.0.0 openssl libssl-dev
sudo pip install pyOpenSSL
@david415
Member
david415 commented Dec 9, 2014

Looking at the source code for DefaultOpenSSLContextFactory we can see that it in fact does not
inherit from OpenSSLCertificateOptions nor does it reference OpenSSLCertificateOptions or CertificateOptions via any other means :

https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/ssl.py#L78

I also noticed that the twisted TLS doc no longer mentions DefaultOpenSSLContextFactory:
https://twistedmatrix.com/documents/current/core/howto/ssl.html
However older versions of this document did mention it...

For the time being my conclusion is that DefaultOpenSSLContextFactory is deprecated and should not be used. We should instead do something more like this:
https://twistedmatrix.com/documents/current/core/howto/ssl.html#tls-echo-server

@david415
Member
david415 commented Dec 9, 2014

we see right here that OpenSSLCertificateOptions sets the private key and cert via the raw data instead of with file names:
https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/_sslverify.py#L1439

whereas DefaultOpenSSLContextFactory uses the file names:
https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/ssl.py#L114

all of the twisted examples use a single pem file for the server key and certificate:
https://twistedmatrix.com/documents/current/core/howto/ssl.html

can we do that too? daira mentioned that we are using a patch to twisted to get it to accept multiple certificates and keys. aha that's what that sed stuff is about in daira's comment ( #92 (comment) )

reviewing that above patch shows a one line patch to DefaultOpenSSLContextFactory...
This approach won't work with OpenSSLCertificateOptions.

After looking at the source code of PrivateCertificate class it seems to support both ASN1 and PEM formatted certificates.

Do you suggest we make a minor code change to Twisted's OpenSSLCertificateOptions and get it to use the pyopenssl options such that it uses a certificate chain?

I presume that this certificate chain is required for your uses of this webserver... because it would of course be way better to not patch twisted... especially if they aren't accepting the patch upstream.

@daira
Member
daira commented Dec 9, 2014

I think it should be possible to do without that patch, and switch to whatever the cool kids are now using to set cert options. We were still using it just because it works and we were applying an OTAAT (change One Thing At A Time) policy to server upgrades. But getting forward secrecy working is sufficient justification to change it.

@david415
Member
david415 commented Dec 9, 2014

OK... I think that the cool kids would do something like this:

https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
david415@febe9c5

However I might have to change that a tiny bit to support ASN1 instead of PEM if that's what we are using.

@daira
Member
daira commented Dec 9, 2014

I built OpenSSL 1.0.1j from source (in /home/website/openssl/openssl-1.0.1j) like this:

$ wget https://www.openssl.org/source/openssl-1.0.1j.tar.gz
$ sha1sum openssl-1.0.1j.tar.gz
# cff86857507624f0ad42d922bb6f77c4f1c2b819
$ tar zxf openssl-1.0.1j.tar.gz
$ cd openssl-1.0.1j/
$ ./config no-shared no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2
$ make depend
$ make

Security bugs fixed in 1.0.1j: https://www.openssl.org/news/openssl-1.0.1-notes.html

@daira
Member
daira commented Dec 10, 2014

I got forward secrecy working! (for most clients) I used an ugly hack that sets a private variable of OpenSSLCertificateOptions, though. A better way would be to construct the OpenSSLCertificateOptions object directly via its constructor.

https://github.com/LeastAuthority/leastauthority.com/commits/david-92-improve-cipher-list-1

@david415
Member

wow cool! did the certificate chain work?

It looks like we don't have to set the OP_NO_SSLv3 option anymore since Twisted does it:
https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/_sslverify.py#L1347

I'm going to run some experiments and post the results here.

@daira
Member
daira commented Dec 10, 2014

I'm not sure about the cert chain, I didn't have time to check it last night.

@david415
Member

I was able to test lae_site/main.py at this new commit id which removes the hacky ssl context option setting:
david415@2c115bd

Still not vulnerable to the POODLE attack.... but I had to test several times... because it seems that qualys was caching previous results even though I tested with the url with a no cache option.

qualys ssllabs says "Chain Issues Incomplete"

Additionally it's failing these tests:

  • Secure Client-Initiated Renegotiation Supported DoS DANGER
  • Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported

I suspect we need the certificate chain to be load properly for all this to work in production.
Is that the case?

aha! OpenSSLCertificateOptions will call add_extra_chain_cert if we set extraCertChain...
I think we might need to put the extra certs into it's own file so we can pass it to extraCertChain
separately from certificate.

https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/_sslverify.py#L1441

https://pythonhosted.org/pyOpenSSL/api/ssl.html#OpenSSL.SSL.Context.add_extra_chain_cert

further experiment results forthcoming...

@david415
Member

Oh I see that pyopenssl's add_extra_chain_cert(cert) takes an X.509 cert chain but
use_certificate_chain_file which we previously were using takes a PEM encoded cert chain file... so I'm going to dig deeper to see what can be done.

@david415
Member

I found an excellent code example that demonstrates our use-case of key and cert file where the cert file contains additional certificate chains:
https://pypi.python.org/pypi/pem/0.3.0

I have made these changes in my branch here:
https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
in this commit:
david415@992371d

AND I'm fairly confident that it will work... however I have not gotten a chance to test it because the pem python module is not installed... So let's test this soon once we install the pem module!

@glyph
glyph commented Dec 10, 2014

Hi all. I just ran across this ticket and read the last dozen or so comments here.

I'm sorry Twisted's API for this is so bad. My only consolation is that (A) it is getting better (B) it is actually better than most things and (C) it seems like the fact that it got better may have enabled you to at least figure out how to do the right thing in the most recent release, even if it wasn't entirely straightforward. The guiding design principle for far too long was "we're not crypto experts, surely OpenSSL's API is sufficient for this stuff", and obviously it isn't.

Anyway, sorry for the inconvenience, I just wanted to say we are actively aware that this is a problem and have been putting a lot of effort into fixing it.

@david415
Member

howdy Glyph... yes it's definitely getting better I see.

Daira and Nathan: I'm going to test this code I wrote tomorrow or whenever Nathan or Daira fix a test environment for me. Nathan got me setup with a different machine but it's missing flappserver (whatever that is). I guess Daira and I will fix this tomorrow during our scheduled pairing.

@david415
Member

OK so I made another commit...
https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
david415@d6d2741

But it doesn't work so I'm going to try and dig deeper tomorrow.
Daira: feel free to solve this problem ;-)

[Failure instance: Traceback: <class 'OpenSSL.crypto.Error'>: []
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:577:_runCallbacks
/home/website/leastauthority.com/lae_util/flapp.py:29:_got_rref
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:382:callback
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:490:_startRunCallbacks
--- ---
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:577:_runCallbacks
/home/website/leastauthority.com/lae_site/main.py:101:
/home/website/leastauthority.com/lae_site/main.py:71:main
/usr/local/lib/python2.7/dist-packages/twisted/internet/_sslverify.py:619:loadPEM
/usr/local/lib/python2.7/dist-packages/twisted/internet/_sslverify.py:725:load
/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:2010:load_privatekey
/usr/local/lib/python2.7/dist-packages/OpenSSL/_util.py:22:exception_from_error_queue

@daira daira added a commit that referenced this issue Dec 11, 2014
@daira daira Update code for loading cert chain to work with Twisted 14.0.2, witho…
…ut needing a patch. refs #92

Signed-off-by: Daira Hopwood <daira@leastauthority.com>
8018237
@daira
Member
daira commented Dec 11, 2014

92-improve-cipher-list-3 now has the updated code, but I'm having trouble logging into ubuntu@leastauthority.com to make the necessary updates to Twisted and pyOpenSSL.

@daira
Member
daira commented Jan 15, 2015

This is what we did to fix the production site:

sudo dpkg -r python-twisted-core python-twisted-conch python-twisted-mail python-twisted-lore python-twisted-names python-twisted-news python-twisted-runner python-twisted-web python-twisted-words python-nevow python-foolscap landscape-client landscape-common
sudo pip install foolscap service_identity 'Twisted==14.0.2' pem
sudo apt-get install libssl-dev build-essential python-dev libffi-dev
sudo dpkg -r python-openssl
sudo pip install 'pyOpenSSL >= 0.14'

and switch to the 92-improve-cipher-list-3 branch.

https://www.ssllabs.com/ssltest/analyze.html?d=leastauthority.com&clearCache=on now gives us an A.

@daira
Member
daira commented Jan 15, 2015

This ticket should not be closed until we've updated the infrastructure deployment to automatically reach the same state we got to above.

@david415 david415 closed this Jan 16, 2015
@david415 david415 reopened this Jan 16, 2015
@david415
Member

oh? yes... i agree. we should update the deployment.

@daira daira changed the title from Insecure ciphers are accepted by https://leastauthority.com to update infrastructure deployment to solve: Insecure ciphers are accepted by https://leastauthority.com Jan 16, 2015
@zookoatleastauthoritycom

Judging from this conversation on twitter (https://twitter.com/mik235/status/556201250513895425), the ideal modern cipher suite spec string is ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA.

@daira
Member
daira commented Jan 18, 2015

The default cipher suite list for Twisted 14.0.2 looks perfectly reasonable to me; I'm loath to override it without good reason.

Picking up on another comment on the Twitter thread: we are secure against POODLE attacks on TLS according to the ssllabs test.

@daira daira removed the priority label Jan 22, 2015
@exarkun
Contributor
exarkun commented Feb 9, 2017

We're using that now. The ssllabs report looks good now. Considering this fixed.

@exarkun exarkun closed this Feb 9, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment