Use updated list of SSL ciphers #67

vbanos · 2018-02-17T18:49:26Z

We use the default list of SSL ciphers of python ssl module when we connect
to remote hosts. That list is probably outdated.
https://github.com/python/cpython/blob/3.6/Lib/ssl.py#L192

We noticed problems when connection to various targets. E.g.

2018-01-31 21:29:23,870 3067 WARNING
MitmProxyHandler(tid=8052,started=2018-01-31T21:29:22.501118,client=127.0.0.1:56340)
warcprox.warcprox.WarcProxyHandler.log_error(mitmproxy.py:447) code 500,
message EOF occurred in violation of protocol (_ssl.c:645)

2018-01-31 21:29:23,987 3067 ERROR
MitmProxyHandler(tid=7327,started=2018-01-31T21:29:22.741262,client=127.0.0.1:56448)
warcprox.warcprox.WarcProxyHandler.do_CONNECT(mitmproxy.py:311) problem
handling 'CONNECT beacon.krxd.net:443 HTTP/1.1': SSLEOFError(8, 'EOF
occurred in violation of protocol (_ssl.c:645)')

2018-01-31 21:29:23,870 3067 ERROR
MitmProxyHandler(tid=8052,started=2018-01-31T21:29:22.501118,client=127.0.0.1:56340)
warcprox.warcprox.WarcProxyH
andler.do_CONNECT(mitmproxy.py:311) problem handling 'CONNECT
px.surveywall-api.survata.com:443 HTTP/1.1': SSLEOFError(8, 'EOF
occurred in violation
 of protocol (_ssl.c:645)')

Research indicated that the cipher selection is not proper.

I use urllib3 cipher selection for better compatibility.

https://github.com/shazow/urllib3/blob/master/urllib3/util/ssl_.py#L71

The urllib3 list is bigger and includes TLS13 which from my experience
is the latest state of the art.

ssl module ciphers:

'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5'

urllib3 module ciphers:

'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5'

We use the default list of SSL ciphers of python `ssl` module when we connect to remote hosts. That list is probably outdated. https://github.com/python/cpython/blob/3.6/Lib/ssl.py#L192 We noticed problems when connection to various targets. E.g. ``` 2018-01-31 21:29:23,870 3067 WARNING MitmProxyHandler(tid=8052,started=2018-01-31T21:29:22.501118,client=127.0.0.1:56340) warcprox.warcprox.WarcProxyHandler.log_error(mitmproxy.py:447) code 500, message EOF occurred in violation of protocol (_ssl.c:645) 2018-01-31 21:29:23,987 3067 ERROR MitmProxyHandler(tid=7327,started=2018-01-31T21:29:22.741262,client=127.0.0.1:56448) warcprox.warcprox.WarcProxyHandler.do_CONNECT(mitmproxy.py:311) problem handling 'CONNECT beacon.krxd.net:443 HTTP/1.1': SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:645)') 2018-01-31 21:29:23,870 3067 ERROR MitmProxyHandler(tid=8052,started=2018-01-31T21:29:22.501118,client=127.0.0.1:56340) warcprox.warcprox.WarcProxyH andler.do_CONNECT(mitmproxy.py:311) problem handling 'CONNECT px.surveywall-api.survata.com:443 HTTP/1.1': SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:645)') ``` Research indicated that the cipher selection is not proper. I use `urllib3` cipher selection for better compatibility. https://github.com/shazow/urllib3/blob/master/urllib3/util/ssl_.py#L71 The `urllib3` list is bigger and includes TLS13 which from my experience is the latest state of the art. `ssl` module ciphers: ``` 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5' ``` `urllib3` module ciphers: ``` 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5' ```

vbanos · 2018-02-17T18:54:28Z

I addition, you can use https://badssl.com/ to showcase the suggested case.
If you try to connect to the following hosts with current warcprox, you get SSL errors:

https://dh480.badssl.com/
https://dh512.badssl.com/
https://rc4-md5.badssl.com/

In contrast, they download fine with the updated cipher list.

I used the following httpie cmd for a quick test (just for reference):

http --verify=no --proxy=https:http://localhost:8000 https://dh480.badssl.com/

nlevitt · 2018-02-20T18:01:58Z

Thanks @vbanos!

Tests would be "nice to have". To save some effort maybe ok to use badssl.com. I'll merge in the mean time.

This reverts commit a6fa04b, reversing changes made to 6d6f2c9.

* trough-utf8: make sure to send utf-8 to trough bump dev version after revert Revert "Merge pull request #67 from vbanos/update-ssl-ciphers" bump dev version number after PR merge Generate wildcard certs to reduce the number of certs generated

Fixed typo

7d76059

nlevitt merged commit a6fa04b into internetarchive:master Feb 20, 2018

nlevitt added a commit that referenced this pull request Feb 28, 2018

Revert "Merge pull request #67 from vbanos/update-ssl-ciphers"

b3070fa

This reverts commit a6fa04b, reversing changes made to 6d6f2c9.

vbanos deleted the update-ssl-ciphers branch April 15, 2019 19:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use updated list of SSL ciphers #67

Use updated list of SSL ciphers #67

vbanos commented Feb 17, 2018

vbanos commented Feb 17, 2018

nlevitt commented Feb 20, 2018

Use updated list of SSL ciphers #67

Use updated list of SSL ciphers #67

Conversation

vbanos commented Feb 17, 2018

vbanos commented Feb 17, 2018

nlevitt commented Feb 20, 2018