Systemwide configurability of OpenSSL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Systemwide configurability of OpenSSL

Tomas Mraz-2
I would like to restart the discussion about possibilities of system-
wide configurability of OpenSSL and particularly libssl.

Historically OpenSSL allowed only for configuration of the enabled
ciphersuites list if application called appropriate API call. This is
now enhanced with the SSL_CONF API and the applications can set thing
such as allowed signature algorithms or protocol versions via this API.

However libssl currently does not have a way to apply some policy such
as using just protocol TLS1.2 or better system-wide with a possibility
for sysadmin to configure this via some configuration file. Of course
it would still be up to individual application configurations whether
they override such policy or not, but it would be useful for sysadmin
to be able to set such policy and depend on that setting if he does not
modify the settings in individual application configurations.

How would openssl maintainers regard a patch that would add loading of
a system-wide SSL configuration file on startup and application of it
on SSL_CTX initialization (or some other appropriate place)? Is this
approach the way to go forward or do you have some better way on mind?

Such an effort was initially attempted at:
https://github.com/openssl/openssl/pull/192 and
https://github.com/openssl/openssl/pull/193 pull requests but given the
comments, we are exploring other options to achieve that goal. What do
you think could be a better way?

Thanks for your comments,
--
Tomáš Mráz
Red Hat

No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

 * Google and NSA associates, this message is none of your business.
 * Please leave it alone, and consider whether your actions are
 * authorized by the contract with Red Hat, or by the US constitution.
 * If you feel you're being encouraged to disregard the limits built
 * into them, remember Edward Snowden and Wikileaks.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Systemwide configurability of OpenSSL

Steffen Nurpmeso-2
Hello.

Tomas Mraz <[hidden email]> wrote:
 |I would like to restart the discussion about possibilities of system-
 |wide configurability of OpenSSL and particularly libssl.
 |
 |Historically OpenSSL allowed only for configuration of the enabled
 |ciphersuites list if application called appropriate API call. This is
 |now enhanced with the SSL_CONF API and the applications can set thing
 |such as allowed signature algorithms or protocol versions via this API.

Now is the time to thank the OpenSSL for this improvement which
will change the world mid- or long term: thank you!

In my opinion it is a tremendous improvement that it is now
possible to configure OpenSSL via a central (or not) configuration
file if applications adhere to the rules!  Oh what a brilliant
brain must have hatched this idea.  (Just kidding.)
The MUA i maintain for example supports this since v14.9.4
released nine days ago, documented as

  ssl-config-module-USER@HOST, ssl-config-module-HOST, ssl-config-module
   [Option] If file based application-specific configuration
   via ssl-config-file is available, announced as ‘+ctx-config’
   by ssl-features, indicating availability of
   SSL_CTX_config(3), then, it becomes possible to use a
   central SSL/TLS configuration file for all programs,
   including steffensmua, e.g.:

         # Register a configuration section for steffensmua
         steffensmua = mailx_master
         # The top configuration section creates a relation
         # in between dynamic SSL configuration and an actual
         # program specific configuration section
         [mailx_master]
         ssl_conf = mailx_ssl_config
         # Well that actual program specific configuration section
         # now can map individual ssl-config-module names to sections,
         # e.g., ssl-config-module=account_xy
         [mailx_ssl_config]
         account_xy = mailx_account_xy
         account_yz = mailx_account_yz
         [mailx_account_xy]
         MinProtocol = TLSv1.2
         Curves=P-521
         [mailx_account_yz]
         CipherString = TLSv1.2:!aNULL:!eNULL:
         MinProtocol = TLSv1.1
         Options = Bugs

So obviously it took me a while to figure out how this works, the
documentation clearly has been written in a hurry by someone who
entirely penetrates OpenSSL intellectually, to say the least.
Nothing for the highly sensitive ones.  My implementation is
super simple, then:

    if((cp = xok_vlook(ssl_config_module, urlp, OXM_ALL)) != NULL){
  # ifdef HAVE_XSSL_CTX_CONFIG
        if(!(a_xssl_state & a_XSSL_S_CONF_LOAD)){
           n_err(_("*ssl-config-module*: no *ssl-config-file* "
              "loaded: %s\n"), n_shexp_quote_cp(cp, FAL0));
           goto jleave;
        }else if(!SSL_CTX_config(ctxp, cp)){
           ssl_gen_err(_("*ssl-config-module*: load error for %s, "
              "section [%s]"), n_uagent, n_shexp_quote_cp(cp, FAL0));
           goto jleave;
        }
  # else
        n_err(_("*ssl-config-module*: set but not supported: %s\n"),
           n_shexp_quote_cp(cp, FAL0));
        goto jleave;
  # endif
     }

 |However libssl currently does not have a way to apply some policy such
 |as using just protocol TLS1.2 or better system-wide with a possibility
 |for sysadmin to configure this via some configuration file. Of course
 |it would still be up to individual application configurations whether
 |they override such policy or not, but it would be useful for sysadmin
 |to be able to set such policy and depend on that setting if he does not
 |modify the settings in individual application configurations.
 |
 |How would openssl maintainers regard a patch that would add loading of
 |a system-wide SSL configuration file on startup and application of it

Having a global one and especially giving administrators the
possibility to provide an outer cramp that cannot be loosened any
further, though further restricted, would indeed be good.
And that being applied automatically just when SSL library is
initialized, without an explicit application-side
CONF_modules_load_file().  If i recall correctly that was the
original suggestion.

And is it actually possible to have a generic "super-section" that
is applied even if an application specific one has been chosen?
And unfortunately it is not possible to say MinProtocol=Latest,
like this users have to be aware, even if they are not.  With
MinProtocol=Latest they would only have to face this jungle of
non-understanding (be honest: Google/DuckDuckGo plus
copy-and-paste, isn't it) if something really fails.

 |on SSL_CTX initialization (or some other appropriate place)? Is this
 |approach the way to go forward or do you have some better way on mind?
 |
 |Such an effort was initially attempted at:
 |https://github.com/openssl/openssl/pull/192 and
 |https://github.com/openssl/openssl/pull/193 pull requests but given the
 |comments, we are exploring other options to achieve that goal. What do
 |you think could be a better way?
 |
 |Thanks for your comments,

Always a pleasure.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Systemwide configurability of OpenSSL

Tomas Mraz-2
On 09/28/2017 12:21 AM, Steffen Nurpmeso wrote:

> Hello.
>
> Tomas Mraz <[hidden email]> wrote:
>  |I would like to restart the discussion about possibilities of system-
>  |wide configurability of OpenSSL and particularly libssl.
>  |
>  |Historically OpenSSL allowed only for configuration of the enabled
>  |ciphersuites list if application called appropriate API call. This is
>  |now enhanced with the SSL_CONF API and the applications can set thing
>  |such as allowed signature algorithms or protocol versions via this API.
>
> Now is the time to thank the OpenSSL for this improvement which
> will change the world mid- or long term: thank you!

+1

...

>  |However libssl currently does not have a way to apply some policy such
>  |as using just protocol TLS1.2 or better system-wide with a possibility
>  |for sysadmin to configure this via some configuration file. Of course
>  |it would still be up to individual application configurations whether
>  |they override such policy or not, but it would be useful for sysadmin
>  |to be able to set such policy and depend on that setting if he does not
>  |modify the settings in individual application configurations.
>  |
>  |How would openssl maintainers regard a patch that would add loading of
>  |a system-wide SSL configuration file on startup and application of it
>
> Having a global one and especially giving administrators the
> possibility to provide an outer cramp that cannot be loosened any
> further, though further restricted, would indeed be good.
> And that being applied automatically just when SSL library is
> initialized, without an explicit application-side
> CONF_modules_load_file().  If i recall correctly that was the
> original suggestion.
>
> And is it actually possible to have a generic "super-section" that
> is applied even if an application specific one has been chosen?
> And unfortunately it is not possible to say MinProtocol=Latest,
> like this users have to be aware, even if they are not.  With
> MinProtocol=Latest they would only have to face this jungle of
> non-understanding (be honest: Google/DuckDuckGo plus
> copy-and-paste, isn't it) if something really fails.

The problem is that by default the applications do not read the file and
do not apply the defaults. Even the openssl s_client/s_server does not
seem to work, but I might be doing something wrong.

What I would like to see is applying the defaults unconditionally or
maybe with some possibility to opt-out of it by application but not opt-in.

Can I please get at least some response from the openssl team? Should I
open an issue on github for that feature?

Tomas Mraz
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Systemwide configurability of OpenSSL

Matt Caswell-2


On 25/10/17 16:19, Tomas Mraz wrote:

>>  |However libssl currently does not have a way to apply some policy such
>>  |as using just protocol TLS1.2 or better system-wide with a possibility
>>  |for sysadmin to configure this via some configuration file. Of course
>>  |it would still be up to individual application configurations whether
>>  |they override such policy or not, but it would be useful for sysadmin
>>  |to be able to set such policy and depend on that setting if he does not
>>  |modify the settings in individual application configurations.
>>  |
>>  |How would openssl maintainers regard a patch that would add loading of
>>  |a system-wide SSL configuration file on startup and application of it
>>
>> Having a global one and especially giving administrators the
>> possibility to provide an outer cramp that cannot be loosened any
>> further, though further restricted, would indeed be good.
>> And that being applied automatically just when SSL library is
>> initialized, without an explicit application-side
>> CONF_modules_load_file().  If i recall correctly that was the
>> original suggestion.
>>
>> And is it actually possible to have a generic "super-section" that
>> is applied even if an application specific one has been chosen?
>> And unfortunately it is not possible to say MinProtocol=Latest,
>> like this users have to be aware, even if they are not.  With
>> MinProtocol=Latest they would only have to face this jungle of
>> non-understanding (be honest: Google/DuckDuckGo plus
>> copy-and-paste, isn't it) if something really fails.
>
> The problem is that by default the applications do not read the file and
> do not apply the defaults. Even the openssl s_client/s_server does not
> seem to work, but I might be doing something wrong.
>
> What I would like to see is applying the defaults unconditionally or
> maybe with some possibility to opt-out of it by application but not opt-in.
>
> Can I please get at least some response from the openssl team? Should I
> open an issue on github for that feature?

Hmmmm....seems like something that would go in OPENSSL_init_ssl() (which
is called automatically at start up).

Matt

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Systemwide configurability of OpenSSL

Kurt Roeckx
In reply to this post by Tomas Mraz-2
On Wed, Oct 25, 2017 at 05:19:23PM +0200, Tomas Mraz wrote:

>
> The problem is that by default the applications do not read the file and
> do not apply the defaults. Even the openssl s_client/s_server does not
> seem to work, but I might be doing something wrong.
>
> What I would like to see is applying the defaults unconditionally or
> maybe with some possibility to opt-out of it by application but not opt-in.
>
> Can I please get at least some response from the openssl team? Should I
> open an issue on github for that feature?

I would like to see something like that happen.


Kurt

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev