Re: SSL 3.0 and older ciphers selected in applications

To: Kurt Roeckx <kurt@roeckx.be>
Cc: debian-security@lists.debian.org, 772487@bugs.debian.org
Subject: Re: SSL 3.0 and older ciphers selected in applications
From: Daniel Pocock <daniel@pocock.pro>
Date: Mon, 08 Dec 2014 13:20:39 +0100
Message-id: <[🔎] 54859797.6070304@pocock.pro>
In-reply-to: <[🔎] 20141208113655.GA25596@roeckx.be>
References: <[🔎] 54855E6D.9000308@pocock.pro> <[🔎] 20141208101220.GA13316@roeckx.be> <[🔎] 54858094.6070304@pocock.pro> <[🔎] 20141208113655.GA25596@roeckx.be>

On 08/12/14 12:36, Kurt Roeckx wrote:
> On Mon, Dec 08, 2014 at 11:42:28AM +0100, Daniel Pocock wrote:
>> On 08/12/14 11:12, Kurt Roeckx wrote:
>>> On Mon, Dec 08, 2014 at 09:16:45AM +0100, Daniel Pocock wrote:
>>>> Hi all,
>>>>
>>>> I've made some changes to TLS code in reSIProcate
>>>>
>>>> - setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method()
>>> This has no effect in jessie.  SSLv2 and SSLv3 are disabled if you
>>> use the SSLv23_* methods.  The only way to enable SSLv3 is to use
>>> the SSLv3_* methods.  You should always use the SSLv23 method as
>>> those are the only that support more than 1 protocol version.
>> Can you please clarify that - if somebody explicitly calls
>> SSL_CTX_clear_options with SSL_OP_NO_SSLv3 will they get back support
>> for SSLv3 in SSLv23_method?
> No, the library doesn't support SSLv3 in combination with the
> SSLv23 method.  Setting or clearing SSL_OP_NO_SSLv3 doesn't have
> any effect.
>
Thanks for confirming that.

>>> I would love to see people stopping the SSLv3 methods, and they
>>> have been removed in experimental.  I'm also working on only
>>> having the SSLv23 method available.
>> In VoIP, this is not so trivial.  People have devices like IP phones and
>> ISDN gateways to use on their LAN.  Some of the older ones may not
>> support anything more than SSL v3 very well.
>>
>> If these devices are used on a private VLAN then the risk of using old
>> crypto is not the same as the risk on the public Internet so I prefer to
>> give these people config options to support their hardware but disabled
>> by default.
> So why use SSL at all?
Only for cases where people may already have it configured that way.

It is not an issue for my own personal use cases.

>> Just one other point: if somebody is trying sending the client hello
>> using SSL v2 record layer but indicating support for TLS v1.0, should
>> TLSv1_method or SSLv23_method accept that?
> I would expect that both should support that.

With TLSv1_method and reSIProcate/OpenSSL on wheezy it fails with

    error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

    Error code = 336130315 file=s3_pkt.c line=348


>
>> There is an example of it here:
>> https://issues.asterisk.org/jira/browse/ASTERISK-13845
>>
>> and it looks something like this:
>>
>> Secure Sockets Layer
>>     SSLv2 Record Layer: Client Hello
>>         ...
>>         Version: TLS 1.0 (0x0301)
>>         ...
>>
>> I've noticed that the reSIProcate code using TLSv1_method refuses to
>> accept connections from peers like that.
>>
>> Should SSLv23_method support that even with v2 and v3 disabled?
> Yes it should.
>

Reply to:

Follow-Ups:
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: SSL 3.0 and older ciphers selected in applications
Next by Date: Re: SSL 3.0 and older ciphers selected in applications
Previous by thread: Re: SSL 3.0 and older ciphers selected in applications
Next by thread: Re: SSL 3.0 and older ciphers selected in applications
Index(es):
- Date
- Thread