Bug#733564: pu: apache2 with ECDHE support

To: Stefan Fritsch <sf@sfritsch.de>
Cc: debian-apache@lists.debian.org, 733564@bugs.debian.org
Subject: Bug#733564: pu: apache2 with ECDHE support
From: Kurt Roeckx <kurt@roeckx.be>
Date: Thu, 1 May 2014 15:59:41 +0200
Message-id: <[🔎] 20140501135941.GA19512@roeckx.be>
Reply-to: Kurt Roeckx <kurt@roeckx.be>, 733564@bugs.debian.org
In-reply-to: <2709305.3U5MXJiIa2@k>
References: <20131229225854.GA20830@roeckx.be> <1645986.Dq73KekQRF@k> <20140414191846.GA10183@simplex.0x539.de> <2709305.3U5MXJiIa2@k>

On Mon, Apr 14, 2014 at 09:57:21PM +0200, Stefan Fritsch wrote:
> Am Montag, 14. April 2014, 21:18:46 schrieb Philipp Kern:
> > So I'd say that we should go and add ECDHE support to Apache as
> > suggested and also patch OpenSSL for the OS X bug as the
> > fingerprinting landed upstream and we would merely replicate
> > current upstream behavior.
> 
> OK, sounds good.
> 
> Kurt, if the openssl patch is like [1], it would require that apache2 
> is built against the updated version of openssl, due to the changed 
> value of SSL_OP_ALL. Can you please ping me when you have uploaded the 
> new package? Also, you should probably mention in the changelog that 
> only recompiled applications get to use the workaround.

I've just uploaded it.

Debdiff is attached.


Kurt

diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog
--- openssl-1.0.1e/debian/changelog	2014-04-17 22:11:48.000000000 +0200
+++ openssl-1.0.1e/debian/changelog	2014-05-01 15:31:35.000000000 +0200
@@ -1,3 +1,12 @@
+openssl (1.0.1e-2+deb7u8) wheezy; urgency=medium
+
+  * Don't prefer ECDHE_ECDSA with some Safari versions
+    This also adds the SSL_OP_SAFARI_ECDHE_ECDSA_BUG option.
+  * Actually restart the services when restart-without-asking is set.
+    (Closes: #745801)
+
+ -- Kurt Roeckx <kurt@roeckx.be>  Thu, 01 May 2014 15:06:05 +0200
+
 openssl (1.0.1e-2+deb7u7) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru openssl-1.0.1e/debian/libssl1.0.0.postinst openssl-1.0.1e/debian/libssl1.0.0.postinst
--- openssl-1.0.1e/debian/libssl1.0.0.postinst	2014-04-16 22:59:01.000000000 +0200
+++ openssl-1.0.1e/debian/libssl1.0.0.postinst	2014-05-01 15:30:16.000000000 +0200
@@ -171,6 +171,8 @@
 		    else
 			answer=no
 		    fi
+                else
+			answer=yes
 		fi
 		echo
 		if [ "$answer" = yes ] && [ "$services" != "" ]; then
diff -Nru openssl-1.0.1e/debian/patches/ECDHE-ECDSA_Safari.patch openssl-1.0.1e/debian/patches/ECDHE-ECDSA_Safari.patch
--- openssl-1.0.1e/debian/patches/ECDHE-ECDSA_Safari.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/ECDHE-ECDSA_Safari.patch	2014-05-01 15:52:28.000000000 +0200
@@ -0,0 +1,194 @@
+From: Rob Stradling <rob@comodo.com>
+Date: Thu, 5 Sep 2013 13:09:03 +0100
+Subject: [PATCH] Don't prefer ECDHE-ECDSA ciphers when the client appears to
+ be Safari on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA
+ ciphers.
+Origin: upstream, commit:4b61f6d2a675fdb57dc93991e7b332a745b44d1f, commit:937f125efc80d7a4e80a5a02ec0eae02ea0b55ac, commit:f4a51970d245a61e991a0c2e196853e81a1a6c53
+
+
+diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
+index cc588f3..fded060 100644
+--- a/doc/ssl/SSL_CTX_set_options.pod
++++ b/doc/ssl/SSL_CTX_set_options.pod
+@@ -88,9 +88,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
+ 
+ ...
+ 
+-=item SSL_OP_MSIE_SSLV2_RSA_PADDING
++=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+ 
+-As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
++Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
++OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
+ 
+ =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+ 
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index e7c5dcb..c2428f4 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s)
+ 		s->s3->tmp.ecdh = NULL;
+ 		}
+ #endif
++#ifndef OPENSSL_NO_TLSEXT
++#ifndef OPENSSL_NO_EC
++	s->s3->is_probably_safari = 0;
++#endif /* OPENSSL_NO_EC */
++#endif /* OPENSSL_NO_TLSEXT */
+ 
+ 	rp = s->s3->rbuf.buf;
+ 	wp = s->s3->wbuf.buf;
+@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+ 		ii=sk_SSL_CIPHER_find(allow,c);
+ 		if (ii >= 0)
+ 			{
++#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
++			if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
++				{
++				if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
++				continue;
++				}
++#endif
+ 			ret=sk_SSL_CIPHER_value(allow,ii);
+ 			break;
+ 			}
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 593579e..c48990e 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -555,7 +555,7 @@ struct ssl_session_st
+ #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
+ #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
+ #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
+-#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
++#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG			0x00000040L
+ #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
+ #define SSL_OP_TLS_D5_BUG				0x00000100L
+ #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
+diff --git a/ssl/ssl3.h b/ssl/ssl3.h
+index 247e88c..208b392 100644
+--- a/ssl/ssl3.h
++++ b/ssl/ssl3.h
+@@ -539,6 +539,15 @@ typedef struct ssl3_state_st
+ 	/* Set if we saw the Next Protocol Negotiation extension from our peer. */
+ 	int next_proto_neg_seen;
+ #endif
++
++#ifndef OPENSSL_NO_TLSEXT
++#ifndef OPENSSL_NO_EC
++	/* This is set to true if we believe that this is a version of Safari
++	 * running on OS X 10.6 or newer. We wish to know this because Safari
++	 * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
++	char is_probably_safari;
++#endif	/* OPENSSL_NO_EC */
++#endif	/* OPENSSL_NO_TLSEXT */
+ 	} SSL3_STATE;
+ 
+ #endif
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index e08088c..f671d1d 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -866,6 +866,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
+ 	return ret;
+ 	}
+ 
++#ifndef OPENSSL_NO_EC
++/* ssl_check_for_safari attempts to fingerprint Safari using OS X
++ * SecureTransport using the TLS extension block in |d|, of length |n|.
++ * Safari, since 10.6, sends exactly these extensions, in this order:
++ *   SNI,
++ *   elliptic_curves
++ *   ec_point_formats
++ *
++ * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
++ * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
++ * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
++ * 10.8..10.8.3 (which don't work).
++ */
++static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
++	unsigned short type, size;
++	static const unsigned char kSafariExtensionsBlock[] = {
++		0x00, 0x0a,  /* elliptic_curves extension */
++		0x00, 0x08,  /* 8 bytes */
++		0x00, 0x06,  /* 6 bytes of curve ids */
++		0x00, 0x17,  /* P-256 */
++		0x00, 0x18,  /* P-384 */
++		0x00, 0x19,  /* P-521 */
++
++		0x00, 0x0b,  /* ec_point_formats */
++		0x00, 0x02,  /* 2 bytes */
++		0x01,        /* 1 point format */
++		0x00,        /* uncompressed */
++	};
++
++	/* The following is only present in TLS 1.2 */
++	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
++		0x00, 0x0d,  /* signature_algorithms */
++		0x00, 0x0c,  /* 12 bytes */
++		0x00, 0x0a,  /* 10 bytes */
++		0x05, 0x01,  /* SHA-384/RSA */
++		0x04, 0x01,  /* SHA-256/RSA */
++		0x02, 0x01,  /* SHA-1/RSA */
++		0x04, 0x03,  /* SHA-256/ECDSA */
++		0x02, 0x03,  /* SHA-1/ECDSA */
++	};
++
++	if (data >= (d+n-2))
++		return;
++	data += 2;
++
++	if (data > (d+n-4))
++		return;
++	n2s(data,type);
++	n2s(data,size);
++
++	if (type != TLSEXT_TYPE_server_name)
++		return;
++
++	if (data+size > d+n)
++		return;
++	data += size;
++
++	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
++		{
++		const size_t len1 = sizeof(kSafariExtensionsBlock);
++		const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
++
++		if (data + len1 + len2 != d+n)
++			return;
++		if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
++			return;
++		if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
++			return;
++		}
++	else
++		{
++		const size_t len = sizeof(kSafariExtensionsBlock);
++
++		if (data + len != d+n)
++			return;
++		if (memcmp(data, kSafariExtensionsBlock, len) != 0)
++			return;
++		}
++
++	s->s3->is_probably_safari = 1;
++}
++#endif	/* OPENSSL_NO_EC */
++
+ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+ 	{
+ 	unsigned short type;
+@@ -886,6 +969,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
+ 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ #endif
+ 
++#ifndef OPENSSL_NO_EC
++	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
++		ssl_check_for_safari(s, data, d, n);
++#endif	/* OPENSSL_NO_EC */
++
+ 	if (data >= (d+n-2))
+ 		goto ri_check;
+ 	n2s(data,len);
diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series
--- openssl-1.0.1e/debian/patches/series	2014-04-17 22:05:46.000000000 +0200
+++ openssl-1.0.1e/debian/patches/series	2014-05-01 15:02:11.000000000 +0200
@@ -46,3 +46,4 @@
 CVE-2010-5298.patch
 CVE-2014-XXXX-Extension-checking-fixes.patch
 CVE-2014-0076.patch
+ECDHE-ECDSA_Safari.patch

Reply to:

Follow-Ups:
- Bug#733564: pu: apache2 with ECDHE support
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: stable update of dpkg (>= 1.17.2) and apt (>= 0.9.16.1) for build profiles
Next by Date: Re: Bits from the Release Team - Freeze, removals and archs
Previous by thread: Re: stable update of dpkg (>= 1.17.2) and apt (>= 0.9.16.1) for build profiles
Next by thread: Bug#733564: pu: apache2 with ECDHE support
Index(es):
- Date
- Thread