Closed Bug 1024430 Opened 10 years ago Closed 10 years ago

Server Side TLS Guide recommendation has unexpected effect with 0.9.8 OpenSSL

Categories

(Developer Documentation Graveyard :: General, defect)

Product:
Developer Documentation Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hkario, Assigned: jvehent)

References

(
URL
)

Details

(Keywords: wsec-crypto) 

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140514130520

Steps to reproduce:

Using the Recommended Ciphersuite with OpenSSL 0.9.8 results in some of the AES ciphers placed after RC4


Actual results:

# openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1


Expected results:

All the AES cipher suites should be placed before RC4, as with OpenSSL 1.0.1 and later.

This is caused by the fact that OpenSSL 0.9.8 doesn't understand "AES128" or "AES256" cipher groups. The change is simple addition of "AES" just before "RC4-SHA" to form the following Recommended Ciphersuite:

# openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
Julien, since you're handling bug 927045, I'm guessing this one is also your territory.
Flags: needinfo?(jvehent)
Ack. I'm off for a few days, but I'll take a look next monday.
Assignee: eshepherd → jvehent
Great catch! I updated the wiki page: https://wiki.mozilla.org/index.php?title=Security%2FServer_Side_TLS&diff=990146&oldid=983316
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jvehent)
Resolution: --- → FIXED
A self proclaimed expert by the name of 'securityguy' here http://forums.moneysavingexpert.com/showthread.php?t=5156377&page=3 (read on from post 60) This person is suggesting the people working on Mozilla security don't know what they are talking about and all this talk of cipher ordering, being picky and cipher weaknesses is garbage. So basically inferring all your security guidance is unnecessary fear mongering. Would you care to defend yourselves?

It a UK TV show blog host by Martin Lewis.
I'm reading it as "because there are more common and pressing issues, we shouldn't make sure the chosen ciphers and protocols are best available".

Do we really have to say why that's a bad stance on security?
Indeed, and there seems to be coming up to 3000 views in just over a day. It would be a shame for the average Jo to take away the notion that the issues that the OP has raised, are non-issues. And all because some banks security guy happens to be taking his bosses unbridled pragmatism a step too far. I think one of our guys should hope on and lay the smack down, since that site is visited by millions of visors and features on TV. To be fair, it sounds like this person works for the banks, they might be attempting damage limitation by casting off HTTPS security as over hyped nonsense thus putting our cause in the shade.
I don't have much more to add than user 6 6 6 already said (or much more sources to add), if somebody doesn't see his arguments as better why should they take into account the same arguments posted by other Random Guy On The Internet?

Sorry, can't help with it.
You need to log in before you can comment on or make changes to this bug.