Skip to content
This repository

sslproto module fails to detect clients connecting with export-grade ciphers #42

Closed
grwl opened this Issue · 28 comments

2 participants

grwl Miroslav Stampar
grwl
Owner
grwl commented

To reproduce the problem checkout fix-sslproto-export-ciphers branch. This branch has sslv2 disabled. Run bin/test-sslcaudit:

# bin/test-sslcaudit
test_curl_rejects_export_ciphers (test.TestSSLProtoModule.TestSSLProtoModule) ... ok
test_opensssl_accepts_all_ciphers (test.TestSSLProtoModule.TestSSLProtoModule) ...
unexpected results
ACCAR(sslproto(sslv3, EXPORT), no shared cipher)
ACCAR(sslproto(tlsv1, EXPORT), no shared cipher)
missing results
ECCAR(sslproto(sslv3, EXPORT), )
ECCAR(sslproto(tlsv1, EXPORT), )
FAIL

It can be shown that openssl itself behaves correctly. Do the following from sslcaudit/ directory, to make sure paths to certs and key are correct.

Running openssl server with export cipher
# openssl s_server -cert test/certs/www.example.com-cert.pem -key test/certs/www.example.com-key.pem -cipher EXPORT

Asking openssl client connect to it.
# openssl s_client -connect localhost:4433 -cipher EXPORT
...
Cipher : EXP-EDH-RSA-DES-CBC-SHA
It works as expected, an export-grade cipher is chosen

Now, replace the server with sslcaudit (run the client the same way, in a loop):
# bin/sslcaudit -m sslproto -l 0.0.0.0:4433
...
127.0.0.1:40880 sslproto(sslv3, HIGH) no shared cipher
127.0.0.1:40881 sslproto(sslv3, MEDIUM) no shared cipher
127.0.0.1:40882 sslproto(sslv3, LOW) no shared cipher
127.0.0.1:40883 sslproto(sslv3, EXPORT) no shared cipher
127.0.0.1:40884 sslproto(tlsv1, HIGH) no shared cipher
127.0.0.1:40885 sslproto(tlsv1, MEDIUM) no shared cipher
127.0.0.1:40886 sslproto(tlsv1, LOW) no shared cipher
127.0.0.1:40887 sslproto(tlsv1, EXPORT) no shared cipher

grwl
Owner
grwl commented

There is a comment on stackoverflow. I think the guy is wrong, there is "ctx.load_cert_chain(certchainfile=CERTFILE, keyfile=KEYFILE)" in the code. Unfortunately it appears I can't comment on stackoverflow anymore, maybe because of the bounty I've started.

Miroslav Stampar
Collaborator

But there is something intriguing in his answer. If you take a look you'll for sure see "no peer certificate available" in OK case. Let's wait and see if anyone writes a better answer (but I'll for sure think about this)

grwl
Owner
grwl commented

The example in your post seems to be broken. If I save the files and execute your s_server then s_client I get this:

abb@e6510:/tmp$ openssl s_client -connect localhost:4433 -cipher EXPORT
CONNECTED(00000003)
depth=0 C = BE, CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=21:unable to verify the first certificate

verify return:1

Certificate chain
0 s:/C=BE/CN=www.example.com

i:/C=BE/CN=test-ca

Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJCRTEQ
MA4GA1UEAxMHdGVzdC1jYTAeFw0xMjA1MDYwODQyNDlaFw0yMjA1MDMwODQyNDla
MCcxCzAJBgNVBAYTAkJFMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL7OBv9wRwtNjN984XSy22/rw6tHM6Lq/Ccf
NoHKbqwC+PsxgmgJJiGBGewrzBR42toqHJi7EjHhuvrgqV9s2duPQBAANh7tzY1h
6VekrwhIIt4o1h0F2KB16VXA8s918d+8pRGt2T11GUh/QT3m9yY1VzqdIBeAfklC
ET6ncPK/AgMBAAGjgdQwgdEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFNGQArEZPKprJTn7A64qEFfl0m4xME8GA1UdIwRIMEaAFFuITOUJlGrJ
9lKufs8cm1MpwXrroSOkITAfMQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHdGVzdC1j
YYIJALimgW7YUgdrMAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUF
AAOBgQDWh8A0eBxI9XHy68xdjFsk2oerJeV6qqlcmtPZgz3GlarRcWcKsRJOyLLL
dCOe7tY5isWQAoLt6XALzDWjbQkTJnxBaKHif1MIikuajaYKT7LA1MvFn50Qrm6n
f9hG7gvdTpm1rlPcs0qibp1vJVubkU51mT6JT4UnLfeVIjtL7Q==
-----END CERTIFICATE-----
subject=/C=BE/CN=www.example.com

issuer=/C=BE/CN=test-ca

No client certificate CA names sent

SSL handshake has read 1141 bytes and written 242 bytes

New, TLSv1/SSLv3, Cipher is EXP-EDH-RSA-DES-CBC-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : SSLv3
Cipher : EXP-EDH-RSA-DES-CBC-SHA
Session-ID: D780218D042B2352D5EE8C74BC318B2A9303FC1702784C4212D67B5F13904141
Session-ID-ctx:
Master-Key: 435B19E68E61C4A7BCAB64DAB4802BEF6816CE3D64561E4D732075D41CE6A4AC662F821A74BF6A2840598B2000B42692
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Compression: 1 (zlib compression)
Start Time: 1340641927
Timeout : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

Miroslav Stampar
Collaborator

But I believe that this is really happening from the beginning (original message of this Issue). I've just reused those cerfiticates (I believe that those are self-signed hence the "verify error:num=27:certificate not trusted") from source.

grwl
Owner
grwl commented

I don't know why you way it was happening from beginning. I've read the original message, there is nothing about missing certificates. What makes you think so?

Anyway, can you please check and update the post on stackoverflow to reflect real problem we are trying to solve? Or you say the whole issue is a mistake?

Miroslav Stampar
Collaborator

Ok. Sorry. After a second thought this has nothing to do with the certificates. We just want to reproduce what has been done with openssl s_server. Comment is updated at http://stackoverflow.com/questions/11101794/export-ciphers-and-m2crypto-openssl

Miroslav Stampar
Collaborator

p.s. that "symptoms" part is now updated

grwl
Owner
grwl commented

Nice, thanks.

grwl
Owner
grwl commented

I think the problem is not related to m2crypto strictly. PyOpenSSL seems to be affected as well. I've made a twisted-based SSL server (test/ssl-twisted-server.py in fix-sslproto-export-ciphers branch) and it has exactly the same effect.

Miroslav Stampar
Collaborator
grwl
Owner
grwl commented

I've look at the handshake: the server just rejects the connection as soon as it sees the client only supports export-grade ciphers.

I've took the examples from openssl library (now under test/ in sslcaudit) and they fail too:

abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ./wserver2 -a EXP-RC4-MD5
SSL accept error
140020402464416:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:

abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher EXP-RC4-MD5
CONNECTED(00000003)
139688996304544:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 64 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

But if I tell it to use HIGH ciphers, for example, all works as expected. Wierd.

And at the same time openssl s_server works fine with these ciphers.

abb@e6510:/tmp$ openssl s_server -cert dummy_cert.pem -key dummy_key.pem -cipher EXP-RC4-MD5
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Generating temp (512 bit) RSA key...
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMCBAIAAwQABDDavgNBa/Lyft5vyNhRMDTXjwseT8WWPuSFHvbj7zSg
YXBm2AcLfFKE2J37bOw9OLShBgIET+lunaIEAgIBLKQGBAQBAAAAqwMEAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:EXP-RC4-MD5
CIPHER is EXP-RC4-MD5
Secure Renegotiation IS supported
Tue Jun 26 10:11:09 CEST 2012
DONE
shutting down SSL
CONNECTION CLOSED
ACCEPT


abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher EXP-RC4-MD5
CONNECTED(00000003)
depth=0 C = BE, CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=BE/CN=www.example.com
   i:/C=BE/CN=test-ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJCRTEQ
MA4GA1UEAxMHdGVzdC1jYTAeFw0xMjA1MDYwODQyNDlaFw0yMjA1MDMwODQyNDla
MCcxCzAJBgNVBAYTAkJFMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL7OBv9wRwtNjN984XSy22/rw6tHM6Lq/Ccf
NoHKbqwC+PsxgmgJJiGBGewrzBR42toqHJi7EjHhuvrgqV9s2duPQBAANh7tzY1h
6VekrwhIIt4o1h0F2KB16VXA8s918d+8pRGt2T11GUh/QT3m9yY1VzqdIBeAfklC
ET6ncPK/AgMBAAGjgdQwgdEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFNGQArEZPKprJTn7A64qEFfl0m4xME8GA1UdIwRIMEaAFFuITOUJlGrJ
9lKufs8cm1MpwXrroSOkITAfMQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHdGVzdC1j
YYIJALimgW7YUgdrMAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUF
AAOBgQDWh8A0eBxI9XHy68xdjFsk2oerJeV6qqlcmtPZgz3GlarRcWcKsRJOyLLL
dCOe7tY5isWQAoLt6XALzDWjbQkTJnxBaKHif1MIikuajaYKT7LA1MvFn50Qrm6n
f9hG7gvdTpm1rlPcs0qibp1vJVubkU51mT6JT4UnLfeVIjtL7Q==
-----END CERTIFICATE-----
subject=/C=BE/CN=www.example.com
issuer=/C=BE/CN=test-ca
---
No client certificate CA names sent
---
SSL handshake has read 1185 bytes and written 190 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : EXP-RC4-MD5
    Session-ID: 62A4EC86E2D3CF3519C093E21BDF0F30ACF4E9F015D65F146E205B5EAE4B7E0B
    Session-ID-ctx: 
    Master-Key: DABE03416BF2F27EDE6FC8D8513034D78F0B1E4FC5963EE4851EF6E3EF34A0617066D8070B7C5284D89DFB6CEC3D38B4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 0e a0 3e 34 a4 d1 9e 15-15 99 fd eb 2c 6c 10 29   ..>4........,l.)
    0010 - e4 5b 3a d7 16 bf 66 fd-11 87 b0 c9 f4 06 6b 39   .[:...f.......k9
    0020 - ff 31 7f 64 23 04 ee 3e-49 3a e3 03 ea 15 28 6b   .1.d#..>I:....(k
    0030 - 01 be dd ff fe 98 6b dd-29 3b cd 9b 32 2c e3 a8   ......k.);..2,..
    0040 - 8d 91 21 68 e6 80 8e d8-2d 63 06 35 8f 93 58 3f   ..!h....-c.5..X?
    0050 - 74 e6 62 39 1a 61 96 de-0a 60 b4 1b 1b 37 0f 35   t.b9.a...`...7.5
    0060 - 46 a1 b5 0b 22 3d 00 ed-df ff 91 6b 6e c3 f7 d9   F..."=.....kn...
    0070 - 96 24 49 ff d8 d5 e8 aa-8f d5 42 ae 4a 3a 4d fa   .$I.......B.J:M.
    0080 - 9a a3 b6 16 7a bc 8b ff-51 cb 0f 10 62 1e ff 51   ....z...Q...b..Q
    0090 - 0e 8e 10 ea 98 f9 2d 69-ef a0 f0 03 5f 80 bb 14   ......-i...._...

    Compression: 1 (zlib compression)
    Start Time: 1340698269
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE
Miroslav Stampar
Collaborator
Miroslav Stampar
Collaborator

Might be useful for debugging SSL handshakes: sudo ssldump -a -A -H -i lo (Reference: http://prefetch.net/articles/debuggingssl.html)

Sample output:

New TCP connection #1: localhost(45977) <-> localhost(4433)
1 1 0.0004 (0.0004) C>SV3.1(66) Handshake
ClientHello
Version 3.1
random[32]=
4f e9 74 32 56 c7 a0 8b b4 2f 16 9c b7 69 60 aa
c3 8e 85 d9 a7 79 35 90 f1 67 14 8a 1a 19 40 5d
cipher suites
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Unknown value 0xff
compression methods
unknown value
NULL
1 2 0.0005 (0.0001) S>CV3.0(2) Alert
level fatal
value handshake_failure
1 0.0006 (0.0001) S>C TCP FIN
1 0.0045 (0.0038) C>S TCP FIN

Will compare OK and NOK cases

grwl
Owner
grwl commented
Miroslav Stampar
Collaborator

NOK handshake:
http://pastebin.com/YuC7d8zg

OK handshake:
http://pastebin.com/U6YGQmv9

This is one of those "satanic" problems. You can clearly see that at handshake they have the same fields except random[32] which are supposed to be different :)

Miroslav Stampar
Collaborator

Sent a question to the OpenSSL ML openssl-users (http://www.mail-archive.com/openssl-users@openssl.org/) without subscribing to it so I hope that it should appear there in a day or two. If it won't appear there in archive I'll subscribe and resend it. Will keep you posted.
p.s. I would put you into the CC but I don't know your email address ;)

grwl
Owner
grwl commented
grwl
Owner
grwl commented

I've tried to trace library calls for both cases.

abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ltrace ./wserver2 -a EXPORT
__libc_start_main(0x401a31, 3, 0x7fff389b0248, 0x402080, 0x402110 <unfinished ...>
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = 97
strdup("EXPORT")                                                                       = 0x01460010
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = -1
SSL_library_init(0x402222, 0x402219, 0x7f2269092258, 0, 0)                             = 1
SSL_load_error_strings(0x7f226944aa40, 0x7f22694a6c50, 0, 16, 0)                       = 0
BIO_new_fp(0x7f2269093180, 0, 0x7f22691fb13d, 408, 3)                                  = 0x1479990
signal(13, 0x00401f63)                                                                 = NULL
SSLv23_method(13, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                               = 0x7f22696b4ea0
SSL_CTX_new(0x7f22696b4ea0, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                     = 0x1479b80
SSL_CTX_use_certificate_chain_file(0x1479b80, 0x402222, 0x402222, 0x7f2269092778, 2)   = 1
SSL_CTX_set_default_passwd_cb(0x1479b80, 0x401ec8, 0, 0x7f2269092758, 0x7f22698b7700)  = 0x1479b80
SSL_CTX_use_PrivateKey_file(0x1479b80, 0x402222, 1, 0x402222, 0x7f22698b7700 <unfinished ...>
strcpy(0x7fff389af670, "password")                                                     = 0x7fff389af670
<... SSL_CTX_use_PrivateKey_file resumed> )                                            = 1
SSL_CTX_load_verify_locations(0x1479b80, 0x4022fa, 0, 0x7f2269092758, 0x7f22698b7700)  = 1
BIO_new_file(0x40222d, 0x40227e, 0x147cf30, 0x7f2269092730, 117)                       = 0x147ad30
PEM_read_bio_DHparams(0x147ad30, 0, 0, 0, 0)                                           = 0x147d480
BIO_free(0x147ad30, 1, 0x7f2269092778, 0, 2)                                           = 1
SSL_CTX_ctrl(0x1479b80, 3, 0, 0x147d480, 0x7f22698b7700)                               = 1
SSL_CTX_set_session_id_context(0x1479b80, 0x6031d4, 4, 0x7f2269092740, 0xcac6d624268385b8) = 1
SSL_CTX_set_cipher_list(0x1479b80, 0x1460010, 0x1460010, 0x7f2269092740, 0xcac6d624268385b8) = 1
socket(2, 1, 0)                                                                        = 3
htons(4433, 1, 0, -1, 0x7f22696b7348)                                                  = 20753
setsockopt(3, 1, 2, 0x7fff389b00e8, 4)                                                 = 0
bind(3, 0x7fff389b00f0, 16, 0x7fff389b00f0, 4)                                         = 0
listen(3, 5, 16, -1, 4)                                                                = 0
accept(3, 0, 0, -1, 4^C <unfinished ...>
abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ltrace ./wserver2 -a EXPORT
__libc_start_main(0x401a31, 3, 0x7fff389b0248, 0x402080, 0x402110 <unfinished ...>
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = 97
strdup("EXPORT")                                                                       = 0x01460010
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = -1
SSL_library_init(0x402222, 0x402219, 0x7f2269092258, 0, 0)                             = 1
SSL_load_error_strings(0x7f226944aa40, 0x7f22694a6c50, 0, 16, 0)                       = 0
BIO_new_fp(0x7f2269093180, 0, 0x7f22691fb13d, 408, 3)                                  = 0x1479990
signal(13, 0x00401f63)                                                                 = NULL
SSLv23_method(13, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                               = 0x7f22696b4ea0
SSL_CTX_new(0x7f22696b4ea0, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                     = 0x1479b80
SSL_CTX_use_certificate_chain_file(0x1479b80, 0x402222, 0x402222, 0x7f2269092778, 2)   = 1
SSL_CTX_set_default_passwd_cb(0x1479b80, 0x401ec8, 0, 0x7f2269092758, 0x7f22698b7700)  = 0x1479b80
SSL_CTX_use_PrivateKey_file(0x1479b80, 0x402222, 1, 0x402222, 0x7f22698b7700 <unfinished ...>
strcpy(0x7fff389af670, "password")                                                     = 0x7fff389af670
<... SSL_CTX_use_PrivateKey_file resumed> )                                            = 1
SSL_CTX_load_verify_locations(0x1479b80, 0x4022fa, 0, 0x7f2269092758, 0x7f22698b7700)  = 1
BIO_new_file(0x40222d, 0x40227e, 0x147cf30, 0x7f2269092730, 117)                       = 0x147ad30
PEM_read_bio_DHparams(0x147ad30, 0, 0, 0, 0)                                           = 0x147d480
BIO_free(0x147ad30, 1, 0x7f2269092778, 0, 2)                                           = 1
SSL_CTX_ctrl(0x1479b80, 3, 0, 0x147d480, 0x7f22698b7700)                               = 1
SSL_CTX_set_session_id_context(0x1479b80, 0x6031d4, 4, 0x7f2269092740, 0xcac6d624268385b8) = 1
SSL_CTX_set_cipher_list(0x1479b80, 0x1460010, 0x1460010, 0x7f2269092740, 0xcac6d624268385b8) = 1
socket(2, 1, 0)                                                                        = 3
htons(4433, 1, 0, -1, 0x7f22696b7348)                                                  = 20753
setsockopt(3, 1, 2, 0x7fff389b00e8, 4)                                                 = 0
bind(3, 0x7fff389b00f0, 16, 0x7fff389b00f0, 4)                                         = 0
listen(3, 5, 16, -1, 4)                                                                = 0
accept(3, 0, 0, -1, 4^C <unfinished ...>

Both invoke SSL_CTX_set_cipher_list() with proper parameter (I've checked that with gdb, not shown here). There must be some other subtle difference.

grwl
Owner
grwl commented

Looks like we have a good candidate for a proper answer on stackoverflow.

Miroslav Stampar
Collaborator
grwl
Owner
grwl commented

The guy who has answered is an author of sslsplit, in some sense a competing tool for sslcaudit.
Before you accept his answer, we need to write enough test scripts. Let's get the most of this bounty J.

Miroslav Stampar stamparm referenced this issue from a commit
Miroslav Stampar Fixing issue #42 2d5a61e
Miroslav Stampar
Collaborator

Now test/ssl-server-export.py works for DSA case too (EXP-EDH-DSS-DES-CBC-SHA). Only thing is that now we have to discuss how to deal with the need for both RSA and DSA certificates in production (non-test) mode.

grwl
Owner
grwl commented
grwl
Owner
grwl commented

closed

grwl grwl closed this
grwl
Owner
Miroslav Stampar
Collaborator
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.