openssl 1.0.1i ignores ciphers in cipherlist

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl 1.0.1i ignores ciphers in cipherlist

Frank Meier

While testing different ciphersuites I found a quite drastic change in
the behavior between openssl version 1.0.1h to 1.0.1i. While using a
cipherlist like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the
"ECDHE-RSA-AES128-SHA256" cipher is used. With 1.0.1i uses "RC4-SHA".

example:
$ openssl s_server -cert server.pem
....
$ openssl s_client -cipher "ECDHE-RSA-AES128-SHA256:RC4" -connect
localhost:4443
....
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES128-SHA256

I guess following patch is responsible for the change in behavior:
http://rt.openssl.org/Ticket/Display.html?id=3374. There it says the
SSLv2 client-hello does not include enough information to establish a
connection with ECDHE, so this ciphers are not included in the
cipherlist. But the test with 1.0.1i shows that it works at least
against my openssl s_server.

I think this behavior could force established applications to use
"lower-strength" ciphers with openssl 1.0.1i than before with 1.0.1h.
Without anyone noticing.

cheers Frank
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.1i ignores ciphers in cipherlist

Viktor Dukhovni
On Fri, Aug 29, 2014 at 04:19:43PM +0200, Frank Meier wrote:

> While testing different ciphersuites I found a quite drastic change in the
> behavior between openssl version 1.0.1h to 1.0.1i. While using a cipherlist
> like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the "ECDHE-RSA-AES128-SHA256"
> cipher is used. With 1.0.1i uses "RC4-SHA".
>
> example:
> $ openssl s_server -cert server.pem
> ....
> $ openssl s_client -cipher "ECDHE-RSA-AES128-SHA256:RC4" -connect

Run the 1.0.1i client with "-msg" and report the version of the
client Hello and resulting cipher.  Then add "-no_ssl2" and report
again.  Applications should these days employ "SSL_OP_NO_SSLv2",
rather than rely on "!SSLv2" in the DEFAULT cipherlist.

Not employing EC ciphersuites with SSLv2 HELLO is correct, since
the client's list of supported curves is unknown.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.1i ignores ciphers in cipherlist

Tomas Mraz-2
In reply to this post by Frank Meier
On Pá, 2014-08-29 at 16:19 +0200, Frank Meier wrote:

> While testing different ciphersuites I found a quite drastic change in
> the behavior between openssl version 1.0.1h to 1.0.1i. While using a
> cipherlist like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the
> "ECDHE-RSA-AES128-SHA256" cipher is used. With 1.0.1i uses "RC4-SHA".
>
> example:
> $ openssl s_server -cert server.pem
> ....
> $ openssl s_client -cipher "ECDHE-RSA-AES128-SHA256:RC4" -connect
> localhost:4443
> ....
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>      Protocol  : TLSv1.2
>      Cipher    : ECDHE-RSA-AES128-SHA256
>
> I guess following patch is responsible for the change in behavior:
> http://rt.openssl.org/Ticket/Display.html?id=3374. There it says the
> SSLv2 client-hello does not include enough information to establish a
> connection with ECDHE, so this ciphers are not included in the
> cipherlist. But the test with 1.0.1i shows that it works at least
> against my openssl s_server.
>
> I think this behavior could force established applications to use
> "lower-strength" ciphers with openssl 1.0.1i than before with 1.0.1h.
> Without anyone noticing.

This happens because you use specification of cipherlist that does not
make sense - that is with the RC4 you add also SSLv2 ciphers to the
cipher list and simultaneously you add only EC based cipher in addition.
With SSLv2 client hello the supported curves extension cannot be sent
and thus the EC based ciphers must not be sent as well. If there was for
example DHE-RSA-AES128-GCM-SHA256 in the cipher list, it would be
correctly sent in the hello and chosen for the connection. I can't see
anyone using such specification in real world.

Basically what you specify is what you get.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.1i ignores ciphers in cipherlist

Frank Meier
In reply to this post by Viktor Dukhovni

On 29/08/14 17:12, Viktor Dukhovni wrote:

I retestet with "-no_ssl2" option and then the ECDHE ciphers are used
again.
> Applications should these days employ "SSL_OP_NO_SSLv2",
I agree, but then openssl should set this option by default also.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.1i ignores ciphers in cipherlist

Daniel Kahn Gillmor
In reply to this post by Tomas Mraz-2
On 08/29/2014 08:16 AM, Tomas Mraz wrote:
> On Pá, 2014-08-29 at 16:19 +0200, Frank Meier wrote:
>> While testing different ciphersuites I found a quite drastic change in
>> the behavior between openssl version 1.0.1h to 1.0.1i. While using a
>> cipherlist like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the
>> "ECDHE-RSA-AES128-SHA256" cipher is used. With 1.0.1i uses "RC4-SHA".

> This happens because you use specification of cipherlist that does not
> make sense - that is with the RC4 you add also SSLv2 ciphers to the
> cipher list and simultaneously you add only EC based cipher in addition.
> With SSLv2 client hello the supported curves extension cannot be sent
> and thus the EC based ciphers must not be sent as well. If there was for
> example DHE-RSA-AES128-GCM-SHA256 in the cipher list, it would be
> correctly sent in the hello and chosen for the connection. I can't see
> anyone using such specification in real world.
>
> Basically what you specify is what you get.
the CipherSuite list that Frank posted clearly indicated his preference
for ECDHE-RSA-AES128-SHA256 ahead of RC4.

By "respecting" the inclusion of RC4's SSLv2 ciphersuites and sending a
v2 handshake, OpenSSL is effectively disabling a higher-priority
selection.  I acknowledge that the tradeoff is a tricky one -- if
OpenSSL makes the opposite choice, it will break interop with SSLv2
servers that choke on the handshake.  But SSLv2 is known-broken,
arguably even worse than RC4.

At any rate, I'm not sure this scenario counts as "what you specify is
what you get", since the OP specified that they preferred
ECDHE-RSA-AES128-SHA256 to RC4 and they didn't get it.  I'd rather that
OpenSSL respected the user's stated preference here than enable interop
with SSLv2 servers.

        --dkg


signature.asc (968 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: openssl 1.0.1i ignores ciphers in cipherlist

Salz, Rich
If Frank doesn't want SSLv2 then he needs to disable it in the SSL_CTX first, no?

The mechanism to say what ciphers you want is orthogonal to the mechanism to say what protcols you want. That's unfortunate and a source of confusion, but is unlikely to change any time soon.


--  
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: [hidden email] Twitter: RichSalz

:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�