Remove 3DES from cipher list (sweet32 CVE-2016-2183)

[tiran]

BPO	27850
Nosy	@birkenfeld, @vstinner, @larryhastings, @giampaolo, @tiran, @alex, @hynek, @JimJJewett, @zooba, @dstufft, @Lukasa
PRs	[3.4] Issues #27850 and #27766: Remove 3DES from ssl default cipher list an… #224
Files	Remove-3DES-from-and-add-ChaCha20-Poly1305-to-cipher.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2017-03-10.01:00:16.787>
created_at = <Date 2016-08-24.13:43:48.259>
labels = ['type-security', 'expert-SSL', 'library', 'release-blocker']
title = 'Remove 3DES from cipher list (sweet32 CVE-2016-2183)'
updated_at = <Date 2017-03-10.01:00:16.785>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2017-03-10.01:00:16.785>
actor = 'larry'
assignee = 'none'
closed = True
closed_date = <Date 2017-03-10.01:00:16.787>
closer = 'larry'
components = ['Library (Lib)', 'SSL']
creation = <Date 2016-08-24.13:43:48.259>
creator = 'christian.heimes'
dependencies = []
files = ['44233']
hgrepos = []
issue_num = 27850
keywords = ['patch']
message_count = 43.0
messages = ['273559', '273560', '273561', '273562', '273563', '273564', '273567', '273569', '273570', '273571', '273632', '273665', '273666', '273670', '273705', '273728', '274071', '274072', '274073', '274582', '274584', '274587', '274590', '274594', '274595', '274706', '274718', '274721', '274726', '274772', '274892', '274902', '274932', '274934', '274936', '274982', '274988', '275059', '275073', '277235', '288293', '288323', '289330']
nosy_count = 13.0
nosy_names = ['georg.brandl', 'janssen', 'vstinner', 'larry', 'giampaolo.rodola', 'christian.heimes', 'alex', 'python-dev', 'hynek', 'Jim.Jewett', 'steve.dower', 'dstufft', 'Lukasa']
pr_nums = ['224']
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue27850'
versions = ['Python 3.4']

[tiran]

Another attack with a catchy name and logo. This time 3DES is showing its age. 3DES should be removed from the list of server ciphers in ssl._RESTRICTED_SERVER_CIPHERS. For client ciphers we can leave it in for now. An attack requires dynamic code execution of code from a malicious 3rd party and several hundred GB of traffic. It's relevant for browsers with JS but not for majority of Python applications. OpenSSL 1.1.0 will remove 3DES support by default anyway.

https://www.openssl.org/blog/blog/2016/08/24/sweet32/
https://sweet32.info/

As seen previously, the full attack should require 236.6 blocks (785 GB) to recover a two-block cookie, which should take 38 hours in our setting. Experimentally, we have recovered a two-block cookie from an HTTPS trace of only 610 GB, captured in 30.5 hours.

[hynek]

JFTR the main compatibility impact on the browser side is the loss of IE8 on WinXP whose last stable release is qua Wikipedia from “February 22, 2011; 5 years ago”.

[alex]

+! from me, removing 3DES is a totally sane default, people who need IE8+XP compat can change the default.

[dstufft]

+1 from me, as another data point, the PSF infrastructure (which serves things like hg.python.org that aren't behind Fastly) has had 3DES disabled since 2014 without any complaints that I've seen.

[Lukasa]

+1 from me, Requests, urllib3, and Twisted are all removing 3DES cipher suites from our default list.

[tiran]

I'm +1 for removal from server-side suite and +0.5 for removal from client-side suite.

Unless somebody makes a compelling reason for keeping 3DES at all, let's get rid of it for good. Users are free to override the settings. It might make sense to include ChaCha20 at the same time so we don't have to touch the same lines twice.

[dstufft]

Should we also remove HIGH from the cipher list? If I recall, at the time we added it under the assumption that we might get new, better ciphers automatically but 3DES is considered "HIGH", so we'll get it pulled in via that on older OpenSSLs.

[Lukasa]

As another data point, I just pushed a PR to remove HIGH from urllib3/requests for exactly this reason, and Twisted already doesn't use it.

[tiran]

Donald: 3DES will be removed from HIGH with the next release:

https://www.openssl.org/blog/blog/2016/08/24/sweet32/

For 1.0.2 and 1.0.1, we removed the triple-DES ciphers from the “HIGH” keyword and put them into “MEDIUM.” Note that we did not remove them from the “DEFAULT” keyword.

[dstufft]

Christian: But that doesn't help all of the existing releases of OpenSSL.

[tiran]

Donald, !3DES de-selects all 3DES block ciphers suites.

[jimjjewett]

What does overriding to put it back require?

Does it require a re-compile, or can it be done via a config file?

Taking it out of the default set sounds reasonable, but requiring a recompile for people who want to retain backwards compatibility strikes me as too much, particularly for a maintenance release.

[dstufft]

It's not a recompile but it's not a configuration file either, it's a Python level API you can call when you're creating a connection to specify what ciphers you want to allow for that connection.