Closed Bug 934033 Opened 11 years ago Closed 8 years ago

Remove legacy SSL3.0 FIPS ciphers

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ryan.sleevi, Assigned: ttaubert)

References

(
URL
)

Details

Remove the legacy SSL_RSA_FIPS_WITH_DES_CBC_SHA and SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA cipher suites from NSS.

These are allocated off the experimental arc (0xFE), and were designed to allow SSL3.0 utilize the TLS1.0 PRF, permitting FIPS validation of the SSL3.0 implementation.

They serve no use with NSS supporting TLS1.0+, and were never advanced to standards track.
Assignee: nobody → ryan.sleevi
Status: NEW → ASSIGNED
Technically, they would be useful for the case where a browser falls back from TLS 1.0 to SSL 3.0, securely or insecurely, if and only if servers actually negotiate these cipher suites in the SSL 3.0 case. More generally, perhaps we need to think seriously about the security of the SSL 3.0 PRF as part of the review of crypto stuff that is happening in light of recent news. It would suck if the SSL 3.0 PRF were completely broken considering an active MitM can trivially make us speak SSL 3.0.
FYI:

As recently as 2010, these cipher suites were/are considered MUST-implement for at least some enterprisy standards. From
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html#Mandatory_Ciphersuites:

The specified algorithm suites are considered to be
widely-implemented, secure and interoperable.

R5703 Any TLS-capable INSTANCE that is FIPS compliant
MUST support TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

R5704 Any SSL-capable INSTANCE that is FIPS compliant
MUST support SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 

Googling for the cipher suite names shows quite a few results for "enterprisy" products from IBM, Oracle, and others that support them.
Hi there, is this still being worked on?

I just created a fresh profile on Thunderbird 24.3.0 on Ubuntu 13.10, opened Javascript console and typed 
  document.location.replace('https://www.howsmyssl.com/');
which reported that this is a cipher suite offered by this client:
  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

So I edited the preferences to ensure (?) SSLv3 would be disabled
  security.tls.version.min = 1
  security.tls.version.max = 3
and restarted Thunderbird and accessed the same website from the Javascript console again.

Which reports that SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is a supported cipher suite in this TLSv1.2 (!) encrypted connection.

Same at https://www.ssllabs.com/ssltest/viewMyClient.html and https://cc.dcsec.uni-hannover.de/

Please do not enable support, by default, for any cipher suites which are not ultimately specified, whether or not some server products support them.
Going to take a look at this soon-ish. I think Ryan doesn't mind me stealing this.
Assignee: ryan.sleevi → ttaubert
Those are gone since we landed bug 1252849.
Blocks: 1252849
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
You need to log in before you can comment on or make changes to this bug.