[OS X] SSL Handshake with secured TLSv1.2 only servers with restricted ciphers

[childnode]

after securing my server instance (yes, I did it the non-user friendly way: who don't have a new browser or OS is locked out)

before:
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:!MEDIUM:!ADH:!MD5

after:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Apache 2.2.22
all fine, for everyone: https://www.ssllabs.com/ssltest/analyze.html?d=owncloud.childno.de
but not for owncloud 1.6.3

so, can you PLEASE update the SSL library or whatever caused this ... thx, this is really upsetting that this "keep your data safe service" doesn't support newest / en vogue encryption!

[danimo]

In short: Not right away. We could ship our private OpenSSL, but the Qt framework is currently making this difficult. Qt version 5.4, scheduled for next month, will provide a remedy, and as it becomes available. we will tackle this (and other related) issues.

[childnode]

seems to, also Android Client have problems with it (on an Android 4.3). That's reasonable as long androids internal SSL doesn't seem to support newer TLS versions (from ssllabs), but there too:
can't you update / use a seperate, non-outdated SSL lib build, this will increase security particularly for older devices?!

[LukasReschke]

can't you update / use a seperate, non-outdated SSL lib build, this will increase security particularly for older devices!!

No. The potential security gain would be marginal - if any - and the risk of breaking things too big. - Though, please file Android bugs at owncloud/android.

[TheFiZi]

Same issue here with Mac OS 10.9.5

This works:

SSLEngine on
SSLHonorCipherOrder on
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!EXPORT56:!ADH

This fails:

SSLEngine on
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!EXPORT56:!ADH

The Windows and iOS clients didn't have any problems with the more restrictive configuration. Just Mac OS.

[danimo]

Yes, known issue. The package on Mac OS ships with a Qt version which cannot easily be linked against another OpenSSL than the system one, which is still at 0.9.8. Qt 5.4 will fix that, but is still a month away. We are working with the Qt team to ensure that using a later OpenSSL will be possible.

[childnode]

Anybody who have tested Yosemite? Which SSL Version is shipped with 10.10? Does this "fix" it?

[danimo]

@childnode: Nope, OpenSSL is deprecated on OS X. We need to ship our own.

[onnozweers]

I think this is a very serious issue. Clients need to be built with the latest OpenSSL available. I'm afraid that if you don't provide your own OpenSSL but instead rely on Qt's outdated OpenSSL, there will come a day when you have a major security incident.

[ghost]

@onnozweers

The package on Mac OS ships with a Qt version which cannot easily be linked against another OpenSSL than the system one, which is still at 0.9.8. Qt 5.4 will fix that, but is still a month away.

[LukasReschke]

We're actively monitoring the most important security mailing lists and also perform pro-active security checks of our software. Security is one of our most important requirements.

While "0.9.8" might seem outdated, it absolutely is not. The version is still supported by the OpenSSL project and used by a lot of software. - Also some security bugs such as Heartbleed did not even affect that branch, effectively the users were even more protected than if we did use a newer version.

To sum up:

1. 0.9.8 is not unsupported
2. We're actively monitoring the potential security threats
3. We will move to a newer version as soon as it is sensible (i.e. Qt 5.4)

[onnozweers]

Does OpenSSL 0.9.8 support TLS v1.2 and TLS v1.1? Browsing through the release notes at https://www.openssl.org/news/openssl-notes.html I get the impression you need OpenSSL 1.0.1 to have TLS v1.1 or 1.2 support. Please correct me if I'm wrong. To me, that alone is enough justification to start using 1.0.1. Then I'm not even talking of new features like TLS_FALLBACK_SCSV.

IMHO, the fact that 0.9.8 did not suffer from Heartbleed was pure coincidence and should not be used as an argument to stick to older software for security.

[LukasReschke]

Does OpenSSL 0.9.8 support TLS v1.2 and TLS v1.1

How would that in any way make your system more secure? - There are no practical attacks and things such as TLS_FALLBACK_SCSV are not even standardised in any way.

You are all here overestimating what a new OpenSSL version would offer you for advantages. Actually, the impact is very very very very low.

As I said: We will update soon, but we won't do it before Qt 5.4 is out and there is no way to change that.

[onnozweers]

How would that in any way make your system more secure?

OpenSSL 1.0.1c+ supports Forward Secrecy, for example.

[LukasReschke]

Forward Secrecy, for example.

Sure, but overall this has a low impact when considering other possible attack vectors. I recommend to take a look at https://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_wont_help.pdf

Anyways, this will be fixed in the future .

[cdamken]

@LukasReschke

Anyways, this will be fixed in the future .

When will be that?

[LukasReschke]

As it has already been mentioned three times within this issue:

Yes, known issue. The package on Mac OS ships with a Qt version which cannot easily be linked against another OpenSSL than the system one, which is still at 0.9.8. Qt 5.4 will fix that, but is still a month away. We are working with the Qt team to ensure that using a later OpenSSL will be possible.

[LukasReschke]

Aka "as soon as we switch to Qt 5.4" which is "as soon as it is released plus the time needed for the change"

[richmoore]

@onnozweers forward secrecy is supported by 0.9.8 too it just requires more CPU intensive ciphers than the elliptic curve ciphers supported by 1.0.0.

[childnode]

@onnozweers and @richmore that's why I trapped into it and started the discussion: old OpenSSL Implementations only support TLS 1.0, I intended to shutdown any "old" protocol.

And yes, thanks to this discussion I got more information and need to read more details about this topic.

to sum up: ForwardSecrecy (FS) is supported, even "Perfect FS" (PFS) is not a matter, because you would only need the ECDHE and DHE ciphers to be supported "exclusively"?! (you might refer to Wikipedia http://q.childno.de/smsyw).
TLS 1.1 seems not to be really insecure at this point (referring to e.g. http://security.stackexchange.com/questions/57878) while I (personally) and I'm not sure if TLS 1.0 is good to be shut down, because there are exploits like BEAST (http://security.stackexchange.com/questions/18505) while I don't understand if this

• is only a CBC cipher attack (from Wikipedia or http://security.stackexchange.com/questions/29631)
• or not (from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/).

=> secure ciphers equals (mostly) secure TLS, never mind TLS 1, 1.1, 1.2.

Nevertheless I'm wondering about that a 10 year old "security protocol" that has two descendants is still the most width used one?!
but BTT:
Sorry, it seems to I overestimate these "security issues" TLS >= 1.0 < 1.2 and you might call me paranoid but still I think any security software (and ownlcloud is some sort of data security and privacy for me) should support the latest, best available effort in encryption while it should prevent users from use of or urgently warn users from using old, "insecure modes", the system administrator is responsible to set the best mode for his clients. If he is paranoid (like me ;) ), he should be able to shut down old protocols.

We really must stop complaining about "we can't use XY" because "YZ" depends on ...that's why security is so crappy and unhandy still these days and protection level is raised very slowly because there is no "political pressure"...And that's why I can't follow any arguments like TLS_FALLBACK_SCSV is not officially standardized, while the most modern and well used browsers supports it?!

@ALL further commenters: We really don't need any more flame war on "hey guys, hurry up", and "yes do this". Argues are clear why it hasn't been done yet.
If you are complaining about this way, take a seat, take a coffee and fix it yourself?! I'm unfortunately not familiar with QT like you ;/ gn8

[onnozweers]

Which version of OpenSSL will be used with Qt 5.4?

[richmoore]

@childnode "TLS_FALLBACK_SCSV is not officially standardized, while the most modern and well used browsers supports it?!"

Actually they don't support it yet. And the only reason it exists and is going to be added to them is that they perform fallbacks to the older SSL/TLS versions to workaround buggy servers. Qt does not perform these fallbacks so it is not relevant to us.

[butonic]

cc @owncloud/support-triagers

[guruz]

Hey everyone, please have a look at #2510 (comment) and re-test.

[luciamaestro]

@childnode Can you verify if it is working in the latest build http://download.owncloud.com/desktop/daily/ ?

[childnode]

@lmaestro yes, I can confirm that it works with ownCloud-1.7.0.1574-nightly20141204.pkg.
Great to hear / see that it's on the road!
Thank you!

[luciamaestro]

I checked that in version 1.7.1 beta1 works fine.