Closed
Bug 1024430
Opened 11 years ago
Closed 11 years ago
Server Side TLS Guide recommendation has unexpected effect with 0.9.8 OpenSSL
Categories
(Developer Documentation Graveyard :: General, defect)
Developer Documentation Graveyard
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: hkario, Assigned: jvehent)
References
()
Details
(Keywords: wsec-crypto)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140514130520
Steps to reproduce:
Using the Recommended Ciphersuite with OpenSSL 0.9.8 results in some of the AES ciphers placed after RC4
Actual results:
# openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
Expected results:
All the AES cipher suites should be placed before RC4, as with OpenSSL 1.0.1 and later.
This is caused by the fact that OpenSSL 0.9.8 doesn't understand "AES128" or "AES256" cipher groups. The change is simple addition of "AES" just before "RC4-SHA" to form the following Recommended Ciphersuite:
# openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
|
Reporter | |
Updated•11 years ago
|
Keywords: wsec-crypto
|
|
Reporter | |
Comment 1•11 years ago
|
||
Julien, since you're handling bug 927045, I'm guessing this one is also your territory.
Flags: needinfo?(jvehent)
|
Assignee | |
Comment 2•11 years ago
|
||
Ack. I'm off for a few days, but I'll take a look next monday.
Assignee: eshepherd → jvehent
|
|
Assignee | |
Comment 3•11 years ago
|
||
Great catch! I updated the wiki page: https://wiki.mozilla.org/index.php?title=Security%2FServer_Side_TLS&diff=990146&oldid=983316
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: needinfo?(jvehent)
Resolution: --- → FIXED
|
||
Comment 4•10 years ago
|
||
A self proclaimed expert by the name of 'securityguy' here http://forums.moneysavingexpert.com/showthread.php?t=5156377&page=3 (read on from post 60) This person is suggesting the people working on Mozilla security don't know what they are talking about and all this talk of cipher ordering, being picky and cipher weaknesses is garbage. So basically inferring all your security guidance is unnecessary fear mongering. Would you care to defend yourselves?
It a UK TV show blog host by Martin Lewis.
|
|
Reporter | |
Comment 5•10 years ago
|
||
I'm reading it as "because there are more common and pressing issues, we shouldn't make sure the chosen ciphers and protocols are best available".
Do we really have to say why that's a bad stance on security?
|
|
||
Comment 6•10 years ago
|
||
Indeed, and there seems to be coming up to 3000 views in just over a day. It would be a shame for the average Jo to take away the notion that the issues that the OP has raised, are non-issues. And all because some banks security guy happens to be taking his bosses unbridled pragmatism a step too far. I think one of our guys should hope on and lay the smack down, since that site is visited by millions of visors and features on TV. To be fair, it sounds like this person works for the banks, they might be attempting damage limitation by casting off HTTPS security as over hyped nonsense thus putting our cause in the shade.
|
|
Reporter | |
Comment 7•10 years ago
|
||
I don't have much more to add than user 6 6 6 already said (or much more sources to add), if somebody doesn't see his arguments as better why should they take into account the same arguments posted by other Random Guy On The Internet?
Sorry, can't help with it.
You need to log in
before you can comment on or make changes to this bug.
Description
•