-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4.11.3.rc1 Broke HTTPS ciphers allowed #1149
Comments
Yes, I had requested this - basically limit the cipher list to things considered secure. I think @ffurano did it with this PR: https://github.com/xrootd/xrootd/pull/1137/files I have not had the time to test this. |
Server needs to include a call to |
Thanks for testing this (where did you get test_ciphers?). First, the undocumented directive to set the cipher list is: I don't see anything in the code that would not set the cipher list via SSL_CTX_set_cipher_list() so it's not apparent what is wrong here. However, the previous version specified The same as for xroots protocol. Now, I do know that TLS 1.3 is no longer backward compatible with previous versions of TLS should you specify certain ciphers. Not that we are using TLS 1.3 but may be, see The other issue is if you are using OpenSSL 1.1.1 and give it an unsupported cipher it does absolutely nothing and appears to drop all ciphers with no error indication. The developers claim this is the best comprmise they could reach to support TLS 1.3, see issue Ir would appear that until all of this get straightened out, specifying explicit ciphers is not recommended. Anyway, use the cipherfilter directive to specify the old string and see what happens. You may even want to check which of those ciphers in the new string is causing the problem. In any case, OpenSSL strkes again! |
Check out BB's response to
#1149
I think I narowed it down to a bit of fancy footwork the OpenSSL
developers are doing with TLS 1.3.
Andy
…On Thu, 5 Mar 2020, Brian Lin wrote:
@abh3 you mentioned that the change in the cipher list was made as a request by @bbockelm ? Got a link to the GitHub issue/PR?
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#1149 (comment)
|
Perhaps but if you don't call it it defaults to something (they don't tell
you what). So, it's unlikely.
…On Thu, 5 Mar 2020, jthiltges wrote:
Server needs to include a call to `SSL_CTX_set_ecdh_auto()` ?
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#1149 (comment)
|
@abh3 I linked the script to in the first comment in the issue, but it is also here:
|
I'm not sure of the source for the cipher list, but it matches the current recommendations from Mozilla: https://ssl-config.mozilla.org/ |
It looks like 4.11.3.rc1 broke the HTTPS ciphers negotiation. This is what I see in the xrootd logs:
@djw8605 points me that this might be the commit culprit
I found online this helpfull script to test against a different ciphers.
This is a test against Xrootd 4.11.2:
And this is against a 4.11.3
Notice the latter one all the ciphers fail. So I believe there seems something wrong with the way the code was written. If I try it manually:
I hope this helps to narrow it down
The text was updated successfully, but these errors were encountered: