Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to increase the priority of some cipher for TLSv1.3? #7562

Closed
yuri-zubov opened this issue Nov 4, 2018 · 22 comments

Comments

@yuri-zubov
Copy link

commented Nov 4, 2018

I try to change the priority of cipher:

openssl ciphers -s -v TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM | column -t

but I always receive

TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD

How I can set TLS_CHACHA20_POLY1305_SHA256 on the first position?
Thank you in advance

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Nov 5, 2018

The first thing to understand is that TLSv1.3 ciphersuite configuration is different to configuring ciphersuites for TLSv1.2 and below. See the "-ciphersuites" option on this man page:

https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

The two lists of ciphersuites (TLSv1.3 ciphersuites and TLSv1.2 and below ciphersuites) are joined together internally by OpenSSL. The TLSv1.3 ciphersuites always go first. In practice this makes no difference at all because the two lists of ciphersuites are mutually exclusive. If TLSv1.3 gets negotiated a TLSv1.3 ciphersuite will always be selected. If TLSv1.2 or below get negotiated then a TLSv1.2 or below ciphersuite will always be selected.

@mattcaswell mattcaswell closed this Nov 5, 2018

@biergaizi

This comment has been minimized.

Copy link

commented Nov 26, 2018

To everyone who is reading this issue: OpenSSL 1.1 uses an independent, new interface to set ciphersuits for TLSv1.3, the old ciphersuits interface is only effective up to TLSv1.2, so changing it has no effect for TLSv1.3. And as currently almost no application has adopted the new interface, there is no way to change ciphersuits for TLSv1.3.

But there is a workaround: you can change the global openssl.cnf to modify the default TLSv1.3 ciphersuits for OpenSSL itself, so every program in the system will use the ciphersuits you specified.

For example, appending these lines...

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

After changing it, you'll see the new global default,

$ openssl ciphers -v ''
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

The path to global openssl.cnf is usually OPENSSLDIR, which can be obtained by...

$ openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/etc/ssl"
@bdjeung

This comment has been minimized.

Copy link

commented Dec 18, 2018

Hi! I'm using Fedora 29 (comes with OpenSSL 1.1.1), and I just modified /usr/share/crypto-policies/DEFAULT/opensslcnf.txt, it works perfectly for me now.

@biergaizi

This comment has been minimized.

Copy link

commented Dec 19, 2018

I'm glad I was able to help 😃

@stesoell

This comment has been minimized.

Copy link

commented Feb 8, 2019

Hey, I'am using OpenSSL 1.1.1a (20 NOV 18). I modified /etc/ssl/openssl.cnf (Arch Linux), but nothing happened ...

Is it furthermore possible to change the priority or has it been disabled?

Thank you.

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

It is still possible to do this. What does openssl version -a | grep OPENSSLDIR report?

@mkirisame

This comment has been minimized.

Copy link

commented Feb 8, 2019

It is still possible to do this. What does openssl version -a | grep OPENSSLDIR report?

openssl: relocation error: openssl: symbol IDEA_options version OPENSSL_1_1_0 not defined in file libcrypto.so.1.1 with link time reference

Edit:
whilst OpenSSL> version OpenSSL 1.1.1a 20 Nov 2018

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

That error seems to indicate that the version of the OpenSSL command line app you are using is linked against a different version of libcrypto than the one that it is finding at run time. Do you have two versions of OpenSSL installed? Perhaps a system provided one, and one you have compiled yourself?

@mkirisame

This comment has been minimized.

Copy link

commented Feb 8, 2019

Happened after a dist-upgrade from Debian stretch to buster. However my server seems to still work with both TLS1.3 and 1.2, the reason why and how I found this thread was that I wanted to disable a particular AES128 cipher, as I only want the stronger AES256 versions to be used. My intentions are to achieve this via openssl.cnf however there are 3-4 files named like this on my system:

$ locate openssl.cnf
/etc/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf
/usr/local/ssl/openssl.cnf
/usr/local/ssl/openssl.cnf.dist

Edit 2:
The problem is explained here as the current implementation for set_ciphers() is not allowing it
https://docs.python.org/3.8/library/ssl.html#tls-1-3

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

It should still be possible to configure the ciphersuites in the OpenSSL config file even if python does't support it (in theory), since the OpenSSL config file bypasses python altogether. You would need to figure out which config file is being used by your server though.

@stesoell

This comment has been minimized.

Copy link

commented Feb 8, 2019

It is still possible to do this. What does openssl version -a | grep OPENSSLDIR report?

Got it.

openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
........

must be at the beginning of openssl.cnf not at the end .... omg ;-)

@mkirisame

This comment has been minimized.

Copy link

commented Feb 8, 2019

Sorry but all the lines except Ciphersuites = ... were existing already, adding the latter did not have the desired effect though. I still am forced to use AES128:

1111
2222

I edited /etc/ssl/openssl.cnf and the changes did propagate however to other conf files, so my system loaded the file. Why is OPENSSL_1_1_1a ignoring my settings? In the manpages I also cannot find the Ciphersuites line being mentioned at all in the [system_default_sect] options.

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

Your ciphersuites string is invalid. Drop the ":!AES128" text from the end. That isn't valid syntax for this setting.

@mkirisame

This comment has been minimized.

Copy link

commented Feb 8, 2019

Hello Matt, thanks for your help. I tried both with and without and the outcome is always that SSL Labs detects AES128 still being on. I have not found a single way since weeks to prevent that single AES128 cipher being auto-included when using TLS1.3
It is my only beef with 1.1.1a that keeps me from rolling out on more devices. Right now only with TLS1.2 I can run a pure AES256 and Chacha20 environment.
Please any ideas? I will test :(

Edit: Even rebooted the entire Debian box each time to make sure the conf is loaded, no change.
Edit 2: Putting the entire settings at beginning or end of conf file has no effect either. I doubt the setting exists, it is not documented for [system_default_sect]

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

Ah. I just noticed that you have other invalid ciphersuites in that setting. The Ciphersuites setting only accepts TLSv1.3 ciphersuites separated by ":". The two "ECDHE-ECDSA-*" ones are TLSv1.2 ciphersuites and should be removed. i.e. the whole thing should be:

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=2
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Edit: Added your original CipherString setting to the above config file as well.

@mkirisame

This comment has been minimized.

Copy link

commented Feb 8, 2019

Thank you so much Matt! All I can say now is: "Brain 'splode."
To sum up why this was really confusing:

  1. /etc/ssl/openssl.cnf only allows me control over TLS1.3 ciphers
  2. my python3.7 TLS socket server only gives me control over TLS1.2
  3. had to fine-tune each cipher sets in different locations/methods for desired effect
  4. cannot define everything in a single file/conf without error

I love the OpenSSL team and your software, but this was a wild goose chase without your help!

Success:
3333

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

/etc/ssl/openssl.cnf only allows me control over TLS1.3 ciphers
my python3.7 TLS socket server only gives me control over TLS1.2

You can set TLSv1.2 ciphersuites in the OpenSSL config file, but I guess python might overwrite that with its own config settings. I suppose your python doesn't know about TLSv1.3 yet leading to this problem!

Anyway glad you got it sorted!

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

Note: TLSv1.2 ciphersuites are configured in the "CipherString" setting, TLSv1.3 ciphersuites in the "Ciphersuites" setting. Don't mix and match between the two!!

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

Yes this is valid. The thing is TLSv1.3 ciphersuites and TLSv1.2 ciphersuites are mutually exclusive. We did consider having them all configured as part of the "CipherString" setting anyway - but this actually causes other problems. Most importantly many existing CipherString values that would work perfectly well in OpenSSL 1.1.0 and before would inadvertently disable all TLSv1.3 ciphersuites in OpenSSL 1.1.1.

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

I just read the "Interview with an Ex-Microsoftie" thing. Funny! Nothing like our names of course.... ;-)

@mkirisame

This comment has been minimized.

Copy link

commented Feb 8, 2019

Pardon, I think one of my messages got dropped during a stealth edit of mine :)

I slowly begin to understand these config quirks and respect the teams choice of this approach. I guess this was the best possible way to break the least.

Anyway thanks again Matt! I see myself out, hope people didn't mind me flooding their inboxes with notifications of this issue being updated. Ciao ;)

@richsalz

This comment has been minimized.

Copy link
Contributor

commented Feb 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.