SSLv2 & SSLv3

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

SSLv2 & SSLv3

Dominyk Tiller
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hey all,

I wondered if you all had an opinion on disabling SSLv2 & SSLv3 during
the ./configure process, and what kind of impact that'd have for
end-users and general compatibility when building against an updated
version of OpenSSL.

It's a discussion that has generated quite a bit of heat in this
discussion over at Homebrew on Github:
https://github.com/Homebrew/homebrew/pull/30504

Would appreciate any input & clarity on this.

Cheers,

Dominyk
- --
Sent from Thunderbird for OS X. My PGP public key is automatically
attached to this email.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTrvyIAAoJEIclJNuddDJspSQP/iQn3cMb7lU/XevNBCcAERue
jonKwKruEw8N7JtdlTiMNhF//XR2mqZd1WtFjxRI002Xtt/mEEM5HmYSYPgiD4vc
MIZemxyc54Ue2hdVsinGuf2e9vDJSIRXxcX75+MD4dmArtAm/vftd4dVf9sPYUcc
YaVgYDOVtzm+G6CkX9tS9eMZIEMwT1wmPJK9aOy/gaHI3hENg09Qlf13dUsP0faK
rajWcq6Kc6oIsWrvaKJkIbZzmZqCLhyrrTam11U4nRg60SLova7etMcUeZX563jL
u7NeSxgtYTtzGmln6ukqrSRN5/92bLn+X7QZOyisVNAJdOQ3d2V20JxTwtyz8mcq
S/m31jYHnP1lU/wJOFWLFdcaJt78OyfNSRiaACUeL+KxQ32UxfMsHhviW8e09Lbp
9pj5DTGFFoj+etAE0OGazgGDpHudIDzbfzIEDwzJszzWbiMcGyv7E1UxYCURpKGQ
Vc5zW1/9XZOqEU+BXwhzP8oHFg3IWsZ/Tq+4pKP4LEGSUHZsnmeRDH4NgSb6tTsK
JFBvTmHoHv46dAo6y9TWk9K1VdqvRqCrUxzEuNhaHNySBev+atsoAKoeOCRv4ezK
c9E9C5l+7HMZhnHrFbaFHN0fmH6kVWG6CiVbamKZDCgl2o8hJJeVtTJSulP4s/Gd
u+Ro3OebC842xT6SuzFX
=o6LZ
-----END PGP SIGNATURE-----

0x9D74326C.asc (3K) Download Attachment
0x9D74326C.asc.sig (744 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Kurt Roeckx
On Sat, Jun 28, 2014 at 06:34:01PM +0100, Dominyk Tiller wrote:
> Hey all,
>
> I wondered if you all had an opinion on disabling SSLv2 & SSLv3 during
> the ./configure process, and what kind of impact that'd have for
> end-users and general compatibility when building against an updated
> version of OpenSSL.

Debian has been build with no SSLv2 support since 2011.  There
were a few minor issues solved, but none of them were actually
related to talking to other peers.  I didn't get any complained
about not having SSLv2 support.

Last time I check there were still a few sites that only talk
SSL v2, but I guess the numbers are so low that they can and
should be ignored.

Most servers that support SSLv3 also support TLS 1.0.  It should
probably be doable to disable SSLv3 without much impact.

The most recent stats about servers I know about is:
https://lists.fedoraproject.org/pipermail/security/2014-April/001810.html

But I'm guessing you're more interested in the client side
support for TLS 1.0 or higher.  I don't have any real numbers
about it, but I'm actually less worried about the clients.

Anyway, I wouldn't mind seeing a patch that would make it possible
to build openssl without SSLv3 support.  That doesn't mean it's
going to be enabled by default, but it would give people the
option to disable it if they want to.

If you make such a patch, I might disable SSLv3 support in Debian,
but that's unlikely to make it in jessie.


Kurt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Hanno Böck-4
On Sat, 28 Jun 2014 20:05:21 +0200
Kurt Roeckx <[hidden email]> wrote:

> If you make such a patch, I might disable SSLv3 support in Debian,
> but that's unlikely to make it in jessie.

The openssl configure script already has a disable-ssl3 option.

I experimented with it a while back and it didn't have any impact. I'm
also running my servers without sslv3 (although the openssl there still
supports it, I just disable it in the software configurations).

--
Hanno Böck
http://hboeck.de/

mail/jabber: [hidden email]
GPG: BBB51E42

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: SSLv2 & SSLv3

Salz, Rich
In reply to this post by Kurt Roeckx
We need to support embedded clients that only speak SSL2 :(

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Jan
Reply | Threaded
Open this post in threaded view
|

RE: SSLv2 & SSLv3

Jan
So leave it in 0.9.8, and disable it by default in all newwr branches. In my opinion it is a bad choice to enable ssl2 by default just to be able to speak with insecure devices.
Cheers Jan

On 29. Juni 2014 00:17:59 MESZ, "Salz, Rich" <[hidden email]> wrote:
We need to support embedded clients that only speak SSL2 :(

--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz



OpenSSL Project http://www.openssl.org
Development Mailing List [hidden email]
Automated List Manager [hidden email]

--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Reply | Threaded
Open this post in threaded view
|

RE: SSLv2 & SSLv3

Salz, Rich

I have no problem disabling it by default and think that should have been done awhile ago, actually.

 

-- 

Principal Security Engineer

Akamai Technologies, Cambridge, MA

IM: [hidden email]; Twitter: RichSalz

Reply | Threaded
Open this post in threaded view
|

RE: SSLv2 & SSLv3

J. J. Farrell-2
In reply to this post by Hanno Böck-4
> From: Hanno Böck [mailto:[hidden email]]
> Sent: Saturday, June 28, 2014 10:36 PM
>
> On Sat, 28 Jun 2014 20:05:21 +0200
> Kurt Roeckx <[hidden email]> wrote:
>
> > If you make such a patch, I might disable SSLv3 support in Debian,
> > but that's unlikely to make it in jessie.
>
> The openssl configure script already has a disable-ssl3 option.
>
> I experimented with it a while back and it didn't have any impact. I'm
> also running my servers without sslv3 (although the openssl there still
> supports it, I just disable it in the software configurations).

I had a quick play with building 1.0.1g with both SSLv2 and SSLv3 disabled a couple of weeks ago. There are unfortunate effects in the openssl application at least, where some logic appears not to have been updated for TLS. If both SSLv2 and SSLv3 are disabled, some commands are removed. For example the 'ciphers' command is removed, presumably on the basis that if you don't have SSLv2 or SSLv3 then you can't have any interest in cipher suites. Didn't have time to pursue it further at the time, but was concerned there might be other less obvious problems.

It looks like there is some work to do to make this clean across the full project.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Dr. Stephen Henson
On Sat, Jun 28, 2014, Jeremy Farrell wrote:

> > From: Hanno Böck [mailto:[hidden email]]
> > Sent: Saturday, June 28, 2014 10:36 PM
> >
> > On Sat, 28 Jun 2014 20:05:21 +0200
> > Kurt Roeckx <[hidden email]> wrote:
> >
> > > If you make such a patch, I might disable SSLv3 support in Debian,
> > > but that's unlikely to make it in jessie.
> >
> > The openssl configure script already has a disable-ssl3 option.
> >
> > I experimented with it a while back and it didn't have any impact. I'm
> > also running my servers without sslv3 (although the openssl there still
> > supports it, I just disable it in the software configurations).
>
> I had a quick play with building 1.0.1g with both SSLv2 and SSLv3 disabled a couple of weeks ago. There are unfortunate effects in the openssl application at least, where some logic appears not to have been updated for TLS. If both SSLv2 and SSLv3 are disabled, some commands are removed. For example the 'ciphers' command is removed, presumably on the basis that if you don't have SSLv2 or SSLv3 then you can't have any interest in cipher suites. Didn't have time to pursue it further at the time, but was concerned there might be other less obvious problems.
>
> It looks like there is some work to do to make this clean across the full project.

Looks like the logic in ciphers and progs.pl is rather ancient. I've just
updated it so ciphers, s_client and s_server now work with no-ssl2 no-ssl3 I'd
be interested to know if anyone sees any other side effects.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Dr. Stephen Henson
In reply to this post by Dominyk Tiller
On Sat, Jun 28, 2014, Dominyk Tiller wrote:

>
> I wondered if you all had an opinion on disabling SSLv2 & SSLv3 during
> the ./configure process, and what kind of impact that'd have for
> end-users and general compatibility when building against an updated
> version of OpenSSL.
>

There are several different ways SSLv2 and SSLv3 could be disabled.

If you don't include any SSLv2 ciphersuites in the cipher list (the default
does not) then SSLv2 is disabled anyway. An application that really needs to
support SSLv2 can reenable if they so wish by changing the cipher list.

If OpenSSL is configured with no-ssl2 then SSLv2 can never be used even if the
cipher string is changed. It's a similar case with no-ssl3.

The master branch links supported versions to security levels. If the security
level is higher than zero (default is 1) then SSLv2 is disabled. If the level
is 2 or higher then SSLv3 is also disabled.

There is a another possibility which OpenSSL currently doesn't support. The
default options could include SSL_OP_NO_* flags to disable SSLv2 and SSLv3 by
default. An application wishing to reenable them could clear the appropriate
flags but few (if any) existing applications do that.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Hubert Kario
In reply to this post by Kurt Roeckx
----- Original Message -----
> From: "Kurt Roeckx" <[hidden email]>
> To: [hidden email]
> Sent: Saturday, 28 June, 2014 8:05:21 PM
> Subject: Re: SSLv2 & SSLv3
>
>
> The most recent stats about servers I know about is:
> https://lists.fedoraproject.org/pipermail/security/2014-April/001810.html

There are newer from June:
https://lists.fedoraproject.org/pipermail/security/2014-June/001945.html
(it looks though like enabling SNI made SSLv2 sites drop off, I'll see
if I can do something about it next month)

And a bit older from May:
https://lists.fedoraproject.org/pipermail/security/2014-May/001853.html

But as Steven said, SSLv2 won't be enabled client or server side if the
default cipher order is not modified to include SSLv2 ciphers so there
is limited gain in disabling SSLv2.

As far as misconfigured servers go, single DES and export grade ciphers
are much, much more common problem at 20% and 15% respectively.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: [hidden email]
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Hubert Kario
----- Original Message -----
> From: "Hubert Kario" <[hidden email]>
> To: [hidden email]
> Sent: Monday, 30 June, 2014 11:44:38 AM
> Subject: Re: SSLv2 & SSLv3
>
> But as Steven said,

Sorry, I meant Stephen.

--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: [hidden email]
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Dr. Stephen Henson
In reply to this post by Hubert Kario
On Mon, Jun 30, 2014, Hubert Kario wrote:

> As far as misconfigured servers go, single DES and export grade ciphers
> are much, much more common problem at 20% and 15% respectively.

The security levels code also addresses that. By default any ciphersuite
offering below 80 bits of equivalent security is disabled along with SSLv2.
That includes single DES and all export ciphersuites. It's also not something
which can be reenabled by accident either. Even if a cipher list is set to ALL
those still get disabled: the only way to reenable them is to set the security
level to zero as well.

Support is unfortunately only in master at present though.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Tomas Mraz-2
On Po, 2014-06-30 at 15:19 +0200, Dr. Stephen Henson wrote:

> On Mon, Jun 30, 2014, Hubert Kario wrote:
>
> > As far as misconfigured servers go, single DES and export grade ciphers
> > are much, much more common problem at 20% and 15% respectively.
>
> The security levels code also addresses that. By default any ciphersuite
> offering below 80 bits of equivalent security is disabled along with SSLv2.
> That includes single DES and all export ciphersuites. It's also not something
> which can be reenabled by accident either. Even if a cipher list is set to ALL
> those still get disabled: the only way to reenable them is to set the security
> level to zero as well.
>
> Support is unfortunately only in master at present though.

Would it be possible to get it to 1.0.2? Or is that already closed for
enhancements? Or does it break ABI compatibility?

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSLv2 & SSLv3

Dr. Stephen Henson
On Mon, Jun 30, 2014, Tomas Mraz wrote:

> On Po, 2014-06-30 at 15:19 +0200, Dr. Stephen Henson wrote:
> > On Mon, Jun 30, 2014, Hubert Kario wrote:
> >
> > > As far as misconfigured servers go, single DES and export grade ciphers
> > > are much, much more common problem at 20% and 15% respectively.
> >
> > The security levels code also addresses that. By default any ciphersuite
> > offering below 80 bits of equivalent security is disabled along with SSLv2.
> > That includes single DES and all export ciphersuites. It's also not something
> > which can be reenabled by accident either. Even if a cipher list is set to ALL
> > those still get disabled: the only way to reenable them is to set the security
> > level to zero as well.
> >
> > Support is unfortunately only in master at present though.
>
> Would it be possible to get it to 1.0.2? Or is that already closed for
> enhancements? Or does it break ABI compatibility?
>

The ABI is compliant.

I'd love to get it into 1.0.2 but since it's in a code freeze and in beta no
new features are permitted.

The changes to add security levels are rather significant and not very well
tested yet. They will be in OpenSSL 1.0.3 which will be released much sooner
than previous feature releases.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]