[openssl.org #3374] Do not advertise ECC ciphersuites in SSLv2 client hello

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #3374] Do not advertise ECC ciphersuites in SSLv2 client hello

Rich Salz via RT
Hello,
openssl advertises ECC ciphersuites in SSLv2 client hello if ssl23
method is used. This is incorrect because the TLS extensions that
indicate supported curves and point formats cannot be sent in SSLv2
client hello. The attached patch ensures that no ECC ciphersuites are
sent in SSLv2 client hello.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)



diff -up openssl-1.0.1e/ssl/s23_lib.c.ssl2noec openssl-1.0.1e/ssl/s23_lib.c
--- openssl-1.0.1e/ssl/s23_lib.c.ssl2noec 2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/ssl/s23_lib.c 2014-05-06 15:51:54.053293674 +0200
@@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_C
  long l;
 
  /* We can write SSLv2 and SSLv3 ciphers */
+ /* but no ECC ciphers */
+ if (c->algorithm_mkey == SSL_kECDHr ||
+ c->algorithm_mkey == SSL_kECDHe ||
+ c->algorithm_mkey == SSL_kEECDH ||
+ c->algorithm_auth == SSL_aECDH ||
+ c->algorithm_auth == SSL_aECDSA)
+ return 0;
  if (p != NULL)
  {
  l=c->id;
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3374] Do not advertise ECC ciphersuites in SSLv2 client hello

Viktor Dukhovni
On Tue, Jun 03, 2014 at 06:01:03PM +0200, Tomas Mraz via RT wrote:

> openssl advertises ECC ciphersuites in SSLv2 client hello if ssl23
> method is used. This is incorrect because the TLS extensions that
> indicate supported curves and point formats cannot be sent in SSLv2
> client hello. The attached patch ensures that no ECC ciphersuites are
> sent in SSLv2 client hello.

This looks about right, where do you still use SSLv2?  Nowadays,
you should probably have SSLv2 disabled.

> diff -up openssl-1.0.1e/ssl/s23_lib.c.ssl2noec openssl-1.0.1e/ssl/s23_lib.c
> --- openssl-1.0.1e/ssl/s23_lib.c.ssl2noec 2013-02-11 16:26:04.000000000 +0100
> +++ openssl-1.0.1e/ssl/s23_lib.c 2014-05-06 15:51:54.053293674 +0200
> @@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_C
>   long l;
>  
>   /* We can write SSLv2 and SSLv3 ciphers */
> + /* but no ECC ciphers */
> + if (c->algorithm_mkey == SSL_kECDHr ||
> + c->algorithm_mkey == SSL_kECDHe ||
> + c->algorithm_mkey == SSL_kEECDH ||
> + c->algorithm_auth == SSL_aECDH ||
> + c->algorithm_auth == SSL_aECDSA)
> + return 0;
>   if (p != NULL)
>   {
>   l=c->id;

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3374] Do not advertise ECC ciphersuites in SSLv2 client hello

Tomas Mraz-2
On Út, 2014-06-03 at 16:41 +0000, Viktor Dukhovni wrote:

> On Tue, Jun 03, 2014 at 06:01:03PM +0200, Tomas Mraz via RT wrote:
>
> > openssl advertises ECC ciphersuites in SSLv2 client hello if ssl23
> > method is used. This is incorrect because the TLS extensions that
> > indicate supported curves and point formats cannot be sent in SSLv2
> > client hello. The attached patch ensures that no ECC ciphersuites are
> > sent in SSLv2 client hello.
>
> This looks about right, where do you still use SSLv2?  Nowadays,
> you should probably have SSLv2 disabled.
SSLv2 is disabled by default, however when you use the ALL cipher list
which is of course something you should not do but it happened in perl
LDAP module the SSLv2 ciphers are added to the cipherlist and SSLv2
client hello is used.

I agree that once we break API/ABI compatibility we should remove SSLv2
support altogether.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3374] Do not advertise ECC ciphersuites in SSLv2 client hello

Viktor Dukhovni
On Wed, Jun 04, 2014 at 10:45:59AM +0200, Tomas Mraz wrote:

> SSLv2 is disabled by default, however when you use the ALL cipher list
> which is of course something you should not do but it happened in perl
> LDAP module the SSLv2 ciphers are added to the cipherlist and SSLv2
> client hello is used.

In Postfix, I use the "ALL" cipherlist, but I also pass SSL_OP_NO_SSLv2
to SSL_CTX_set_options().  If you can append exclusions to the cipherlist,
you can use 'ALL:...:!SSLv2'.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3374] Do not advertise ECC ciphersuites in SSLv2 client hello

Tomas Mraz-2
On St, 2014-06-04 at 13:03 +0000, Viktor Dukhovni wrote:

> On Wed, Jun 04, 2014 at 10:45:59AM +0200, Tomas Mraz wrote:
>
> > SSLv2 is disabled by default, however when you use the ALL cipher list
> > which is of course something you should not do but it happened in perl
> > LDAP module the SSLv2 ciphers are added to the cipherlist and SSLv2
> > client hello is used.
>
> In Postfix, I use the "ALL" cipherlist, but I also pass SSL_OP_NO_SSLv2
> to SSL_CTX_set_options().  If you can append exclusions to the cipherlist,
> you can use 'ALL:...:!SSLv2'.
>

I know that. We are fixing perl-LDAP to not use ALL at all and stick
with the default. However we will be patching openssl anyway for any
other 3rd party cases where they intentionally or not enable SSLv2
client hello.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]