Question about TLS 1.3 and openssl -cipher aNULL option

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about TLS 1.3 and openssl -cipher aNULL option

OpenSSL - User mailing list
Hello,

We have a server was originaly using OpenSSL 1.0.2h.
Server is configured to use SSL ciphers as following
ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
When openssl client tries to connect to this server with command
openssl s_client -connect localhost:8101-cipher aNULL
it fails, because any aNULL ciphers are not available per server configuration.
We have now upgraded server to use OpenSSL 1.1.1f.
The current behavior is this:  client can connect using the same command
openssl s_client -connect localhost:8101 -cipher aNULL
or
openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL

while the same connect attempt using TLS1.2 protocol would still fail

openssl s_client -tls1_2 -connect localhost:8001-cipher aNULL

Would the fact that I can connect to the server using TLS 1.3 using the following command (specifically, using -cipher aNULL, while server is configured to exclude all aNULL cipher suites) considered a security violation?

openssl s_client -tls1_3 -connect localhost:8001 -cipher aNULL

Also, if this a security violation, how this can be addressed in the server configuration?
Lastly, if this is not a security violation, please explain.

Thank you,

Yury Mazin

Reply | Threaded
Open this post in threaded view
|

Re: Question about TLS 1.3 and openssl -cipher aNULL option

Viktor Dukhovni
On Thu, Sep 03, 2020 at 11:45:28PM +0000, Yury Mazin via openssl-users wrote:

> We have a server was originaly using OpenSSL 1.0.2h.  Server is
> configured to use SSL ciphers as following:
>
>   ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
>
> When openssl client tries to connect to this server with command
>
>   openssl s_client -connect localhost:8101 -cipher aNULL
>
> it fails, because any aNULL ciphers are not available per server
> configuration.

As expected.

> We have now upgraded server to use OpenSSL 1.1.1f.  The current
> behavior is this:  client can connect using the same command
>
>   openssl s_client -connect localhost:8101 -cipher aNULL
> or
>   openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL

The "-cipher" command affects only the TLS <= 1.2 a la certe
ciphersuites, but not the TLS 1.3 chinese menu cipher list.

So the TLS 1.3 ciphers remain unaffected and these send
a server certificate that the client ignores.

> while the same connect attempt using TLS1.2 protocol would still fail
>
>   openssl s_client -tls1_2 -connect localhost:8001 -cipher aNULL

As expected.

> Would the fact that I can connect to the server using TLS 1.3 using
> the following command (specifically, using -cipher aNULL, while server
> is configured to exclude all aNULL cipher suites) considered a
> security violation?

No. This is expected behaviour.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Question about TLS 1.3 and openssl -cipher aNULL option

OpenSSL - User mailing list
In reply to this post by OpenSSL - User mailing list
On Thu, Sep 03, 2020 at 11:45:28PM +0000, Yury Mazin via openssl-users wrote:

> Hello,
>
> We have a server was originaly using OpenSSL 1.0.2h.
> Server is configured to use SSL ciphers as following
> ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
> When openssl client tries to connect to this server with command
> openssl s_client -connect localhost:8101-cipher aNULL
> it fails, because any aNULL ciphers are not available per server configuration.
> We have now upgraded server to use OpenSSL 1.1.1f.
> The current behavior is this:  client can connect using the same command
> openssl s_client -connect localhost:8101 -cipher aNULL
> or
> openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL
>
> while the same connect attempt using TLS1.2 protocol would still fail
>
> openssl s_client -tls1_2 -connect localhost:8001-cipher aNULL
>
> Would the fact that I can connect to the server using TLS 1.3 using the following command (specifically, using -cipher aNULL, while server is configured to exclude all aNULL cipher suites) considered a security violation?
>
> openssl s_client -tls1_3 -connect localhost:8001 -cipher aNULL
>
> Also, if this a security violation, how this can be addressed in the server configuration?
> Lastly, if this is not a security violation, please explain.

It is not a security violation, because you are using TLS 1.3 ciphers,
and there are not any NULL-encryption TLS 1.3 ciphers.

Configuration of TLS 1.3 ciphers and ciphers for previous versions
of TLS are separate (since, at a protocol level, they serve different roles).
See the documentation for s_client/s_server -ciphersuites for more
information about TLS 1.3 ciphers.

-Ben
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option

OpenSSL - User mailing list
Thank you Benjamin,

According to OpenSSL , aNULL stands for no-authentication.
NULL-ciphers that you mention would be part of eNULL group, that offer no encryption.
Does it mean that all 3 default protocols of TLS 1.3 offer no authentication (because they are listed under command
openssl ciphers -v -s aNULL
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

Thank you,

Yury



From: Benjamin Kaduk <[hidden email]>
Sent: Thursday, September 3, 2020 5:12 PM
To: Yury Mazin <[hidden email]>
Cc: [hidden email] <[hidden email]>
Subject: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option
 
On Thu, Sep 03, 2020 at 11:45:28PM +0000, Yury Mazin via openssl-users wrote:
> Hello,
>
> We have a server was originaly using OpenSSL 1.0.2h.
> Server is configured to use SSL ciphers as following
> ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
> When openssl client tries to connect to this server with command
> openssl s_client -connect localhost:8101-cipher aNULL
> it fails, because any aNULL ciphers are not available per server configuration.
> We have now upgraded server to use OpenSSL 1.1.1f.
> The current behavior is this:  client can connect using the same command
> openssl s_client -connect localhost:8101 -cipher aNULL
> or
> openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL
>
> while the same connect attempt using TLS1.2 protocol would still fail
>
> openssl s_client -tls1_2 -connect localhost:8001-cipher aNULL
>
> Would the fact that I can connect to the server using TLS 1.3 using the following command (specifically, using -cipher aNULL, while server is configured to exclude all aNULL cipher suites) considered a security violation?
>
> openssl s_client -tls1_3 -connect localhost:8001 -cipher aNULL
>
> Also, if this a security violation, how this can be addressed in the server configuration?
> Lastly, if this is not a security violation, please explain.

It is not a security violation, because you are using TLS 1.3 ciphers,
and there are not any NULL-encryption TLS 1.3 ciphers.

Configuration of TLS 1.3 ciphers and ciphers for previous versions
of TLS are separate (since, at a protocol level, they serve different roles).
See the documentation for s_client/s_server -ciphersuites for more
information about TLS 1.3 ciphers.

-Ben
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option

Viktor Dukhovni
On Fri, Sep 04, 2020 at 07:00:01PM +0000, Yury Mazin via openssl-users wrote:

> Thank you Benjamin,
>
> According to OpenSSL , aNULL stands for no-authentication.

Specifically, SSL 3.0 through TLS 1.2 ciphers in which the server and
client exchange no certificates, and the TLS handshake consists largely
of an unsigned anonymous ephemeral DH or ECDH key exchang.

TLS 1.3 dropped support for anonymous DH and ECDH.  Server certificates
are *required.  And the all-in-one ciphersuites of TLS <= 1.2, are
replaced with separately negotiated components.  As a result of which,
in OpenSSL 1.1.1 and later, they are controlled via a different set of
APIs and command-line options.

Specifically, in your case, the "-ciphers aNULL" option only applies
to TLS <= 1.2

> Does it mean that all 3 default protocols of TLS 1.3 offer no
> authentication

No.  None of them "support no authentication" (which is not even strictly
true, it is the protocol that does not support "no authentication",
the TLS 1.3 ciphers are simply silent re certificate algorithm selection),
but the "-cipher aNULL" is simply not used when TLS 1.3 is negotiated,
so your question is makes incorrect assumptions to reach its tentative
conclusions.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option

OpenSSL - User mailing list
Viktor,

Thank you for clarifying it.

Yury

From: openssl-users <[hidden email]> on behalf of Viktor Dukhovni <[hidden email]>
Sent: Friday, September 4, 2020 12:10 PM
To: [hidden email] <[hidden email]>
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option
 
On Fri, Sep 04, 2020 at 07:00:01PM +0000, Yury Mazin via openssl-users wrote:

> Thank you Benjamin,
>
> According to OpenSSL , aNULL stands for no-authentication.

Specifically, SSL 3.0 through TLS 1.2 ciphers in which the server and
client exchange no certificates, and the TLS handshake consists largely
of an unsigned anonymous ephemeral DH or ECDH key exchang.

TLS 1.3 dropped support for anonymous DH and ECDH.  Server certificates
are *required.  And the all-in-one ciphersuites of TLS <= 1.2, are
replaced with separately negotiated components.  As a result of which,
in OpenSSL 1.1.1 and later, they are controlled via a different set of
APIs and command-line options.

Specifically, in your case, the "-ciphers aNULL" option only applies
to TLS <= 1.2

> Does it mean that all 3 default protocols of TLS 1.3 offer no
> authentication

No.  None of them "support no authentication" (which is not even strictly
true, it is the protocol that does not support "no authentication",
the TLS 1.3 ciphers are simply silent re certificate algorithm selection),
but the "-cipher aNULL" is simply not used when TLS 1.3 is negotiated,
so your question is makes incorrect assumptions to reach its tentative
conclusions.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option

OpenSSL - User mailing list
Hello,

I have a question based on the response provided to me:

My question is why following openssl commands (version 1.1.1f)  return those TLSv1.3 ciphers as offering no authentication and no encryption?

 

C:\OpenText\iHub20.4-29324643-250C200831\ihub\modules\BIRTiHub\iHub\bin>openssl  ciphers -v -s NULL

TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD

TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

 

C:\OpenText\iHub20.4-29324643-250C200831\ihub\modules\BIRTiHub\iHub\bin>openssl  ciphers -v -s eNULL

TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD

TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

 

C:\OpenText\iHub20.4-29324643-250C200831\ihub\modules\BIRTiHub\iHub\bin>openssl  ciphers -v -s aNULL

TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD

TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

From: Yury Mazin <[hidden email]>
Sent: Friday, September 4, 2020 12:43 PM
To: [hidden email] <[hidden email]>
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option
 
Viktor,

Thank you for clarifying it.

Yury

From: openssl-users <[hidden email]> on behalf of Viktor Dukhovni <[hidden email]>
Sent: Friday, September 4, 2020 12:10 PM
To: [hidden email] <[hidden email]>
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option
 
On Fri, Sep 04, 2020 at 07:00:01PM +0000, Yury Mazin via openssl-users wrote:

> Thank you Benjamin,
>
> According to OpenSSL , aNULL stands for no-authentication.

Specifically, SSL 3.0 through TLS 1.2 ciphers in which the server and
client exchange no certificates, and the TLS handshake consists largely
of an unsigned anonymous ephemeral DH or ECDH key exchang.

TLS 1.3 dropped support for anonymous DH and ECDH.  Server certificates
are *required.  And the all-in-one ciphersuites of TLS <= 1.2, are
replaced with separately negotiated components.  As a result of which,
in OpenSSL 1.1.1 and later, they are controlled via a different set of
APIs and command-line options.

Specifically, in your case, the "-ciphers aNULL" option only applies
to TLS <= 1.2

> Does it mean that all 3 default protocols of TLS 1.3 offer no
> authentication

No.  None of them "support no authentication" (which is not even strictly
true, it is the protocol that does not support "no authentication",
the TLS 1.3 ciphers are simply silent re certificate algorithm selection),
but the "-cipher aNULL" is simply not used when TLS 1.3 is negotiated,
so your question is makes incorrect assumptions to reach its tentative
conclusions.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option

Viktor Dukhovni
On Tue, Sep 08, 2020 at 05:39:51PM +0000, Yury Mazin via openssl-users wrote:

> I have a question based on the response provided to me:
>
> My question is why following openssl commands (version 1.1.1f)  return
> those TLSv1.3 ciphers as offering no authentication and no encryption?

It does not.  You still have not understood that "-ciphers" constrains
**ONLY** the TLS 1.2 (and earlier) cipher lists.  When you say:

    ciphers ... NULL

you asking for all the ciphers (TLS 1.2 and 1.3) where the TLS 1.2 ciphers
are NULL.  To also constrain the TLS 1.3 ciphers you MUST use the

    -ciphersuites ...

option to list the desired TLS 1.3 ciphersuites, otherwise they remain
unconstrained.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option

Tomas Mraz-2
In reply to this post by OpenSSL - User mailing list
On Tue, 2020-09-08 at 17:39 +0000, Yury Mazin via openssl-users wrote:
> Hello,
>
> I have a question based on the response provided to me:
>
> My question is why following openssl commands (version 1.1.1f)
> return those TLSv1.3 ciphers as offering no authentication and no
> encryption?

What do you mean by no authentication and no encryption? The encryption
is provided as you can see with the Enc=.... value. And authentication
is provided as well because Au=any applies here meaning any
authentication method available in TLS-1.3 protocol.

As it was explained before the cipher string does not apply to TLS-1.3
ciphersuites so it does not matter if you put NULL, eNULL, aNULL or
anything else as the last parameter of the ciphers command.


> Yury
> From: openssl-users <[hidden email]> on behalf of
> Viktor Dukhovni <[hidden email]>
> Sent: Friday, September 4, 2020 12:10 PM
> To: [hidden email] <[hidden email]>
> Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl
> -cipher aNULL option
>  
> On Fri, Sep 04, 2020 at 07:00:01PM +0000, Yury Mazin via openssl-
> users wrote:
>
> > Thank you Benjamin,
> >
> > According to OpenSSL , aNULL stands for no-authentication.
>
> Specifically, SSL 3.0 through TLS 1.2 ciphers in which the server and
> client exchange no certificates, and the TLS handshake consists
> largely
> of an unsigned anonymous ephemeral DH or ECDH key exchang.
>
> TLS 1.3 dropped support for anonymous DH and ECDH.  Server
> certificates
> are *required.  And the all-in-one ciphersuites of TLS <= 1.2, are
> replaced with separately negotiated components.  As a result of
> which,
> in OpenSSL 1.1.1 and later, they are controlled via a different set
> of
> APIs and command-line options.
>
> Specifically, in your case, the "-ciphers aNULL" option only applies
> to TLS <= 1.2
>
> > Does it mean that all 3 default protocols of TLS 1.3 offer no
> > authentication
>
> No.  None of them "support no authentication" (which is not even
> strictly
> true, it is the protocol that does not support "no authentication",
> the TLS 1.3 ciphers are simply silent re certificate algorithm
> selection),
> but the "-cipher aNULL" is simply not used when TLS 1.3 is
> negotiated,
> so your question is makes incorrect assumptions to reach its
> tentative
> conclusions.
>
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]


Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option

OpenSSL - User mailing list
In reply to this post by Viktor Dukhovni
Viktor,

Thank you.

Yury


From: openssl-users <[hidden email]> on behalf of Viktor Dukhovni <[hidden email]>
Sent: Tuesday, September 8, 2020 10:56 AM
To: [hidden email] <[hidden email]>
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option
 
On Tue, Sep 08, 2020 at 05:39:51PM +0000, Yury Mazin via openssl-users wrote:

> I have a question based on the response provided to me:
>
> My question is why following openssl commands (version 1.1.1f)  return
> those TLSv1.3 ciphers as offering no authentication and no encryption?

It does not.  You still have not understood that "-ciphers" constrains
**ONLY** the TLS 1.2 (and earlier) cipher lists.  When you say:

    ciphers ... NULL

you asking for all the ciphers (TLS 1.2 and 1.3) where the TLS 1.2 ciphers
are NULL.  To also constrain the TLS 1.3 ciphers you MUST use the

    -ciphersuites ...

option to list the desired TLS 1.3 ciphersuites, otherwise they remain
unconstrained.

--
    Viktor.