TLS 1.3 cipher suites aren't contained the list of preference values offered in about:config
Categories
(Core :: Security: PSM, defect, P5)
Tracking
()
People
(Reporter: jan, Unassigned)
Details
(Whiteboard: [psm-backlog])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0
Steps to reproduce:
The ciphers used for SMTP STARTTLS differ from other TLS connection ciphers.
Configuration:
security.tls.version.min 3
security.ssl3.dhe_rsa_aes_128_sha true
security.ssl3.dhe_rsa_aes_256_sha true
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 false
security.ssl3.ecdhe_ecdsa_aes_128_sha false
security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384 false
security.ssl3.ecdhe_ecdsa_aes_256_sha false
security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256 false
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 false
security.ssl3.ecdhe_rsa_aes_128_sha false
security.ssl3.ecdhe_rsa_aes_256_gcm_sha384 false
security.ssl3.ecdhe_rsa_aes_256_sha false
security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256 false
security.ssl3.rsa_aes_128_sha false
security.ssl3.rsa_aes_256_sha false
security.ssl3.rsa_des_ede3_sha false
Observe TLS Client Hello in Wireshark when sending a message.
Actual results:
SMTP :143 STARTTLS
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (3 suites)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
SMTP :465 SSL/TLS
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (2 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Expected results:
SMTP :143 STARTTLS
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (2 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
SMTP :465 SSL/TLS
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (2 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Updated•5 years ago
|
typo: SMTP :143 STARTTLS should be SMTP :587 STARTTLS
Comment 2•5 years ago
|
||
Jan, you're reporting this for TB 60.x. Did you test if you get the same behavior with TB 68.x ?
Please state version which exact version you're using.
Which operating system? Did you get the Thunderbird binaries from a Linux distribution, or downloaded from thunderbird.net directly?
Did you run wireshark on the same computer that runs thunderbird?
(In reply to Kai Engert (:kaie:) from comment #2)
Jan, you're reporting this for TB 60.x. Did you test if you get the same behavior with TB 68.x ?
Please state version which exact version you're using.
Which operating system? Did you get the Thunderbird binaries from a Linux distribution, or downloaded from thunderbird.net directly?
The report is for Thunderbird 60.9.0 on macOS 10.13.6 (17G8037). The binaries are from thunderbird.net.
Did you run wireshark on the same computer that runs thunderbird?
Yes.
The behavior is different on 68.2.0. This is the output for 68.2.0:
Actual results:
SMTP :587 STARTTLS
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (5 suites)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
SMTP :465 SSL/TLS
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (5 suites)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Expected results:
SMTP :587 STARTTLS
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (2 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
SMTP :465 SSL/TLS
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (2 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Comment 4•5 years ago
|
||
It took me a while to understand your report.
I think what you're saying is:
- you're using a nonstandard configuration
- you have used about:config to disable certain cipher suites
- you believe you have disabled the following ciphers:
- TLS_AES_128_GCM_SHA256 (0x1301)
- TLS_CHACHA20_POLY1305_SHA256 (0x1303)
- TLS_AES_256_GCM_SHA384 (0x1302)
- however, you see those cipher suites being offered in the handshake
Jan, is my understanding of your report correct?
I think your assumption that you have disabled those ciphers is incorrect, but it seems you were misled.
The above three ciphers are TLS 1.3 cipher suites.
Support for them had been added with this commit:
https://hg.mozilla.org/mozilla-central/rev/96991c815ab8de388e15cd2b6096064c552ca6e6
As can be seen at the bottom of that patch, the corresponding config keys are:
- "security.tls13.aes_128_gcm_sha256",
- "security.tls13.chacha20_poly1305_sha256",
- "security.tls13.aes_256_gcm_sha384",
Note the "security.tls13." prefix. However, you probably didn't disable those. All config entries you listed in comment 0 begin with "security.ssl3.".
@Jan: Please try to add those keys, set them to false, and please report back if that disables the cipher suites.
However, I think you were unable to detect them easily, because they weren't added to the list of visible preferences.
(File https://searchfox.org/mozilla-central/source/modules/libpref/init/all.js only lists the security.ssl3. prefs, but not the security.tls13. prefs.)
@Dana, do you think the security.tls13. prefs should be added to all.js ?
Updated•5 years ago
|
I think what you're saying is:
- you're using a nonstandard configuration
Yes
- you have used about:config to disable certain cipher suites
Yes
- you believe you have disabled the following ciphers:
- TLS_AES_128_GCM_SHA256 (0x1301)
- TLS_CHACHA20_POLY1305_SHA256 (0x1303)
- TLS_AES_256_GCM_SHA384 (0x1302)
- however, you see those cipher suites being offered in the handshake
My original report was about TB60. I had only enabled security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha (or so I thought). So I was surprised to see 3 other ciphers instead for SMTP :587 STARTTLS, while SMTP :465 SSL/TLS had the correct 2 ciphers.
Then I tested again for TB68, the DHE ciphers are there for SMTP :587 STARTTLS. However now also these 3 other ciphers are there for both STARTTLS and SSL/TLS. I did not know these had a hidden setting.
Jan, is my understanding of your report correct?
I think your assumption that you have disabled those ciphers is incorrect, but it seems you were misled.
Basically yes. And that in TB60 the DHE ciphers were missing for SMTP :587 STARTTLS.
Comment 6•5 years ago
|
||
I suppose we should be consistent, but I'm not keen on making it easier for users to put Firefox in an inoperable state by accident.
Comment 7•5 years ago
|
||
If we want to be consistent, I think we should rather unlist "security.ssl3." prefs from about:config.
Comment 8•5 years ago
|
||
Maybe removing all those prefs from all.js is reasonable, less likely to be discovered, but still available for users who have a need to disable it.
I'm not keen in "ultra-hidden" preferences. Either have them controllable in about:config or don't have them controllable at all. Prefs only known to the 4 people who made them is dumb
Updated•4 years ago
|
Updated•2 years ago
|
Description
•