Order of protocols in MinProtocol

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Order of protocols in MinProtocol

OpenSSL - User mailing list
Hi,

when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for
the client (in my specific case openconnect).

According to https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html,
only one value is possible, so I can't set both. The usage of "Protocol",
where I could use a list, is marked as deprecated.

If I set it to "DTLSv1.2", openconnect works fine, but why is "TLSv1.2" higher
than "DTLSv1.2" and what is the minimal version of TLS now?

How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?

-
    Klaus


Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

Viktor Dukhovni
On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote:

> when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for
> the client (in my specific case openconnect).

Unfortunately, I think that's expected.  The actual bounds are numeric,
and TLS protocols start at 0x0301 (TLS 1.0) and go up to 0x304 (TLS
1.3):

    # define TLS1_VERSION                    0x0301
    # define TLS1_1_VERSION                  0x0302
    # define TLS1_2_VERSION                  0x0303
    # define TLS1_3_VERSION                  0x0304
    # define TLS_MAX_VERSION                 TLS1_3_VERSION

    [ It is also possible to set the floor at SSL3_VERSION == 0x0300,
      if that's still enabled in your build. ]

while DTLS protocols start at 0xFEFF (DTLS 1.0) and count down:

    # define DTLS1_VERSION                   0xFEFF
    # define DTLS1_2_VERSION                 0xFEFD
    # define DTLS_MIN_VERSION                DTLS1_VERSION
    # define DTLS_MAX_VERSION                DTLS1_2_VERSION

So when on a particular SSL_CTX you set MinProtocol and/or MaxProtocol,
that setting really only makes sense for TLS or for DTLS, but never
both, and you need a separate SSL_CTX for DTLS if you intend to
specify the protocol ranges.

> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?

AFAIK, that's not presently possible.  You can specify application
profiles, for applications that specify an application name when
initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
select an alternative configuration file for DTLS applications.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

Matt Caswell-2


On 08/07/2020 16:28, Viktor Dukhovni wrote:
>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
>
> AFAIK, that's not presently possible.  You can specify application
> profiles, for applications that specify an application name when
> initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
> select an alternative configuration file for DTLS applications.
>

Arguably, that is a bug. You *should* be able to do that - perhaps based
on some sensible mapping between TLS protocol versions based on whether
we have a DTLS or TLS based SSL_METHOD.

Matt
Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

Viktor Dukhovni
On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:

> On 08/07/2020 16:28, Viktor Dukhovni wrote:
> >> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
> >
> > AFAIK, that's not presently possible.  You can specify application
> > profiles, for applications that specify an application name when
> > initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
> > select an alternative configuration file for DTLS applications.
>
> Arguably, that is a bug. You *should* be able to do that - perhaps based
> on some sensible mapping between TLS protocol versions based on whether
> we have a DTLS or TLS based SSL_METHOD.

I agree that the situation with MinProtocol in openssl.cnf is
unfortunate.  But instead of mappings, I would propose a different
solution:

    * Restrict MinProtocol/MaxProtocol to just TLS protocols,
      i.e. SSL_CTX objects with a TLS-based method.

    * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol,
      that are similarly restricted to SSL_CTX objects with a DTLS-based
      method.

    * Since SSL_CTX_new() takes a required method argument, we are in
      never in doubt as to which pair of controls to apply to a given
      context.

Thoughts?

--  
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

Matt Caswell-2


On 08/07/2020 17:21, Viktor Dukhovni wrote:

> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>
>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
>>>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
>>>
>>> AFAIK, that's not presently possible.  You can specify application
>>> profiles, for applications that specify an application name when
>>> initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
>>> select an alternative configuration file for DTLS applications.
>>
>> Arguably, that is a bug. You *should* be able to do that - perhaps based
>> on some sensible mapping between TLS protocol versions based on whether
>> we have a DTLS or TLS based SSL_METHOD.
>
> I agree that the situation with MinProtocol in openssl.cnf is
> unfortunate.  But instead of mappings, I would propose a different
> solution:
>
>     * Restrict MinProtocol/MaxProtocol to just TLS protocols,
>       i.e. SSL_CTX objects with a TLS-based method.
>
>     * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol,
>       that are similarly restricted to SSL_CTX objects with a DTLS-based
>       method.
>
>     * Since SSL_CTX_new() takes a required method argument, we are in
>       never in doubt as to which pair of controls to apply to a given
>       context.
>
> Thoughts?

Yes - that could work. Although it begs the question - would it change
the way SSL_CTX_set_min_proto_version() works? (I assume that currently
works just fine as is)

Another question that throws up is how much of that solution would we
backport to 1.1.1 since DTLS(Min|Max)Protocol would be a new feature.
Should we backport it anyway with the justification that it is a "fix"?
Or do we just backport the bit that means it doesn't get applied to DTLS?

Matt

Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

Viktor Dukhovni
On Wed, Jul 08, 2020 at 05:40:38PM +0100, Matt Caswell wrote:

> > I agree that the situation with MinProtocol in openssl.cnf is
> > unfortunate.  But instead of mappings, I would propose a different
> > solution:
> >
> >     * Restrict MinProtocol/MaxProtocol to just TLS protocols,
> >       i.e. SSL_CTX objects with a TLS-based method.
> >
> >     * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol,
> >       that are similarly restricted to SSL_CTX objects with a DTLS-based
> >       method.
> >
> >     * Since SSL_CTX_new() takes a required method argument, we are in
> >       never in doubt as to which pair of controls to apply to a given
> >       context.
> >
> > Thoughts?
>
> Yes - that could work. Although it begs the question - would it change
> the way SSL_CTX_set_min_proto_version() works? (I assume that currently
> works just fine as is)

No changes in SSL_CTX_set_(min|max)_proto_version() required.  The API
remains the same, and a user calling it on a context with a DTLS-based
method, would (as before) pass the appropriate *DTLS* versions.

The only change would be in the .cnf file, where "MinProtocol" and
"MaxProtocol" would now apply only in TLS-based contexts, and new
DTLSMinProtocol and DTLSMaxProtocol only in DTLS-based contexts.

> Another question that throws up is how much of that solution would we
> backport to 1.1.1 since DTLS(Min|Max)Protocol would be a new feature.

I'd be inclined to backport.

> Should we backport it anyway with the justification that it is a "fix"?
> Or do we just backport the bit that means it doesn't get applied to DTLS?

I see it as a bugfix.  Yes, at least not misapply TLS limits to DTLS,
but at that point not adding the corresponding DTLS controls feels too
cautious to me.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

OpenSSL - User mailing list
In reply to this post by Viktor Dukhovni
On 08.07.20 12:21, Viktor Dukhovni wrote:

> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>
> > On 08/07/2020 16:28, Viktor Dukhovni wrote:
> > >> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
> > >
> > > AFAIK, that's not presently possible.  You can specify application
> > > profiles, for applications that specify an application name when
> > > initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
> > > select an alternative configuration file for DTLS applications.
> >
> > Arguably, that is a bug. You *should* be able to do that - perhaps based
> > on some sensible mapping between TLS protocol versions based on whether
> > we have a DTLS or TLS based SSL_METHOD.

Should I open an issue at https://github.com/openssl/openssl/issues?

>
> I agree that the situation with MinProtocol in openssl.cnf is
> unfortunate.  But instead of mappings, I would propose a different
> solution:
>
>     * Restrict MinProtocol/MaxProtocol to just TLS protocols,
>       i.e. SSL_CTX objects with a TLS-based method.
>
>     * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol,
>       that are similarly restricted to SSL_CTX objects with a DTLS-based
>       method.
>
>     * Since SSL_CTX_new() takes a required method argument, we are in
>       never in doubt as to which pair of controls to apply to a given
>       context.
>
> Thoughts?


To me this sounds sane.

But for my personal problem right now (openconnect uses TLS and DTLS, so
even if it would set an application name I couldn't set a "proper"
setting), until this bug is fixed, I use this now:

   # MinProtocol = TLSv1.2
   Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2

(with a big comment for future-me, why I did something, that i shouldn't)

To my understanding, this will do exaclty what I want, up to that point in
time, when there are newer versions of DTLS and/or TLS supported and I want
to use them. (SSL3 is not supported in my build)

Am I right?

-
    Klaus
Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

Matt Caswell-2


On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote:

> On 08.07.20 12:21, Viktor Dukhovni wrote:
>> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>>
>>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
>>>>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
>>>>
>>>> AFAIK, that's not presently possible.  You can specify application
>>>> profiles, for applications that specify an application name when
>>>> initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
>>>> select an alternative configuration file for DTLS applications.
>>>
>>> Arguably, that is a bug. You *should* be able to do that - perhaps based
>>> on some sensible mapping between TLS protocol versions based on whether
>>> we have a DTLS or TLS based SSL_METHOD.
>
> Should I open an issue at https://github.com/openssl/openssl/issues?

Yes please.


> But for my personal problem right now (openconnect uses TLS and DTLS, so
> even if it would set an application name I couldn't set a "proper"
> setting), until this bug is fixed, I use this now:
>
>    # MinProtocol = TLSv1.2
>    Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2

Looks sane - although do you also mean to disable DTLSv1? Perhaps for
safety you should also disable SSLv3 (although support for it is not
built by default anyway).

Matt
Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

OpenSSL - User mailing list
On 08.07.20 17:57, Matt Caswell wrote:

>
>
> On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote:
> > On 08.07.20 12:21, Viktor Dukhovni wrote:
> >> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
> >>
> >>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
> >>>>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
> >>>>
> >>>> AFAIK, that's not presently possible.  You can specify application
> >>>> profiles, for applications that specify an application name when
> >>>> initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
> >>>> select an alternative configuration file for DTLS applications.
> >>>
> >>> Arguably, that is a bug. You *should* be able to do that - perhaps based
> >>> on some sensible mapping between TLS protocol versions based on whether
> >>> we have a DTLS or TLS based SSL_METHOD.
> >
> > Should I open an issue at https://github.com/openssl/openssl/issues?
>
> Yes please.

Done: https://github.com/openssl/openssl/issues/12394

>
>
> > But for my personal problem right now (openconnect uses TLS and DTLS, so
> > even if it would set an application name I couldn't set a "proper"
> > setting), until this bug is fixed, I use this now:
> >
> >    # MinProtocol = TLSv1.2
> >    Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2
>
> Looks sane - although do you also mean to disable DTLSv1? Perhaps for
> safety you should also disable SSLv3 (although support for it is not
> built by default anyway).

Ah, thanks, I missed DTLSv1. (SSLv3 is not enabled in my build, but for
safety-reasons, you are right)

Thank you!

-
    Klaus
Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

Viktor Dukhovni
In reply to this post by OpenSSL - User mailing list
On Wed, Jul 08, 2020 at 07:27:18PM +0200, Klaus Umbach via openssl-users wrote:

> > > Should I open an issue at https://github.com/openssl/openssl/issues?
> >
> > Yes please.
>
> Done: https://github.com/openssl/openssl/issues/12394

Thanks again for opening the issue, but I have a follow up question for
your original message, that is easiest to ask on the list.

On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote:

> when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for
> the client (in my specific case openconnect).

- Can you be a bit more specific about the failure mode of "openconnect"?
- What are the error messages?
- Can you get verbose error information?

The reason I ask, is that much to my surprise, in trying to write a
patch to resolve this issue, I discovered that I had already written
essentially the requisite code back in 2015, but had long ago forgotten
the details!

Documentation improvements aside, the above 2015 code in OpenSSL already
applies TLS version bounds only to TLS-based contexts, and DTLS bounds
only to DTLS-based contexts.

Thus you can already write:

    MinProtocol TLSv1.2
    MinProtocol DTLSv1.2

repeating the option with appropriate settings for each of TLS and DTLS
and pretty each applies to the appropriate type of SSL_CTX.

The main outstanding issue for which I'm authoring a new PR, is that
each of the above results in SSL_CONF_cmd() returning an error for
contexts of the other type or for contexts that are for a specific fixed
version of TLS or DTLS, and perhaps these errors are not ignored and
cause issues with context initialisation?  The update I'm writing will
be more forgiving and silently report success when the setting is not
applicable.

That aside, clearly the documentation also needs an update.  But I would
like to confirm that I'm not missing some crucial detail, and therefore
it would be very helpful to get a more detailed breakdown of the errors
you observed, assuming that the application isn't so user-friendly as to
hide all those geeky error details... :-(

--
    VIktor.
Reply | Threaded
Open this post in threaded view
|

Re: Order of protocols in MinProtocol

Kurt Roeckx
On Sun, Jul 12, 2020 at 12:29:43AM -0400, Viktor Dukhovni wrote:
>
> The main outstanding issue for which I'm authoring a new PR, is that
> each of the above results in SSL_CONF_cmd() returning an error for
> contexts of the other type or for contexts that are for a specific fixed
> version of TLS or DTLS, and perhaps these errors are not ignored and
> cause issues with context initialisation?  The update I'm writing will
> be more forgiving and silently report success when the setting is not
> applicable.

Looking at openconnect's code, it now supports 3 ways:
- DTLSv1_client_method() with DTLS1_BAD_VER.
- DTLS_client_method() with DTLS1_2_VERSION
- A PSK

The first 2 options will overwrite the protocol min and max version,
so whatever is in the config file will not have any effect.


Kurt