[openssl-users] How to disable all EXPORT Ciphers?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-users] How to disable all EXPORT Ciphers?

Deepak-2

Hi,

How to I disable all EXPORT Ciphers from OpenSSL?

Will the use of string "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"
with
SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024?

Thank you,
Deepak


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] How to disable all EXPORT Ciphers?

Salz, Rich
>How to I disable all EXPORT Ciphers from OpenSSL?
> Will the use of string "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"

        ; openssl ciphers -v kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH | grep EXP
        ;
Yes.

But really, SSLv2?  Really?  You have clients that haven't been updated since the last century?

--  
Senior Architect, Akamai Technologies
IM: [hidden email] Twitter: RichSalz
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] How to disable all EXPORT Ciphers?

Viktor Dukhovni
In reply to this post by Deepak-2
On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:

> How to I disable all EXPORT Ciphers from OpenSSL?
>
> Will the use of string "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"
> with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024?

Note that doing so does not address the FREAK CVE in SSL clients.  Even
with EXPORT ciphers disabled they are still vulnerable, unless patched!

As for your proposed cipherlist it is too exotic.

    * ALL:!ADH is simply DEFAULT.  DEFAULT already prefers PFS (including
      ECDHE) and is sorted by strength.

    * DES is a subset of LOW

    * I would also disable SSLv2, which is a subset of MD5, so I generally
      disable that instead which also drops the SSLv3's RC4-MD5 leaving RC4-SHA
      for interop.  Note for many applications RC4 is no longer supposed to be
      used, consider whether disabling RC4 is appropriate for you.

Therefore, I'd suggest:

        DEFAULT:!EXPORT:!LOW:!MD5

Which keeps things simple by starting with DEFAULT and removing
what you want to disable.

--
        Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] How to disable all EXPORT Ciphers?

Christian Georg
Hi Viktor,

please help me to understand your sentence:

        "Note that doing so does not address the FREAK CVE in SSL clients.  Even with EXPORT ciphers disabled they are still vulnerable, unless patched!"

I understand that the downgrading of the ciphersuites is a bug in the library that should be patched. Doing this can however be dificult when talking about mobile apps that use OS Libraries.
From my understanding the bug only works within the limit of chipersuites permitted by both the client and the server.

Therefore my asumption is if the server side does only offer strong ciphers I do not have to worry too much about the ability to exploit the FREAK vulnerability e.g. in android clients.
I am very aware that on older Androids there are other things to worry about like missing TLS 1.2 support,... but with regards to freak SSL a quick fix to secure the communication between a mobile app and the server side webservice should be disabeling weak ciphers on the server.

Is this assumption wrong ?

Thanks for your help

Chris


-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:[hidden email]] Im Auftrag von Viktor Dukhovni
Gesendet: Montag, 9. März 2015 17:47
An: [hidden email]
Betreff: Re: [openssl-users] How to disable all EXPORT Ciphers?

On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:

> How to I disable all EXPORT Ciphers from OpenSSL?
>
> Will the use of string "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"
> with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024?

Note that doing so does not address the FREAK CVE in SSL clients.  Even with EXPORT ciphers disabled they are still vulnerable, unless patched!

As for your proposed cipherlist it is too exotic.

    * ALL:!ADH is simply DEFAULT.  DEFAULT already prefers PFS (including
      ECDHE) and is sorted by strength.

    * DES is a subset of LOW

    * I would also disable SSLv2, which is a subset of MD5, so I generally
      disable that instead which also drops the SSLv3's RC4-MD5 leaving RC4-SHA
      for interop.  Note for many applications RC4 is no longer supposed to be
      used, consider whether disabling RC4 is appropriate for you.

Therefore, I'd suggest:

        DEFAULT:!EXPORT:!LOW:!MD5

Which keeps things simple by starting with DEFAULT and removing what you want to disable.

--
        Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] How to disable all EXPORT Ciphers?

Viktor Dukhovni
On Tue, Mar 10, 2015 at 08:44:57AM +0000, Christian Georg wrote:

> I understand that the downgrading of the ciphersuites is a bug in the
> library that should be patched. Doing this can however be dificult when
> talking about mobile apps that use OS Libraries.  From my understanding
> the bug only works within the limit of chipersuites permitted by both the
> client and the server.

That understanding is I believe wrong.  Only the server needs to
support EXPORT ciphers.  The client just needs a vulnerable library.

> Therefore my asumption is if the server side does only offer strong ciphers
> I do not have to worry too much about the ability to exploit the FREAK
> vulnerability e.g. in android clients.

Yes, if the server disables EXPORT ciphers the clients are safe
with *that* server, but will remain vulnerable with other servers.
The clients do need to be patched.

--
        Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] How to disable all EXPORT Ciphers?

Michael Wojcik
Viktor's description agrees with Matthew Green's explanation.[1] The FREAK attack can work against non-patched OpenSSL clients even if they disable export-grade ciphers; in fact, that's precisely the problem.

The attack works like this:

1. Client sends ClientHello with a suite list that includes strong RSA suites.
2. MITM modifies ClientHello to request export-grade RSA.
3. If the server supports export-grade RSA, it replies with a 512-bit RSA key.
4. The client incorrectly accepts the short RSA key, even though it didn't ask for one. That's the bug.
5. Attacker factors the 512-bit RSA key. This relies on the second problem described by the FREAK authors: many servers (eg Apache) just generate one 512-bit RSA key pair at startup, and don't create a new one for each export-grade request, because it's expensive. So if you factor it once, you're good to break a whole bunch of sessions.

If you always control both ends of the conversation, and can disable the export suites on both, then you shouldn't be vulnerable. If you have to talk to third-party servers, though, you don't know which ones might be vulnerable. FREAK testing has revealed that an awful lot still support the export suites.

[1] http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html

________________________________________
From: openssl-users [[hidden email]] on behalf of Viktor Dukhovni [[hidden email]]
Sent: Tuesday, March 10, 2015 06:53
To: [hidden email]
Subject: Re: [openssl-users] How to disable all EXPORT Ciphers?

On Tue, Mar 10, 2015 at 08:44:57AM +0000, Christian Georg wrote:

> I understand that the downgrading of the ciphersuites is a bug in the
> library that should be patched. Doing this can however be dificult when
> talking about mobile apps that use OS Libraries.  From my understanding
> the bug only works within the limit of chipersuites permitted by both the
> client and the server.

That understanding is I believe wrong.  Only the server needs to
support EXPORT ciphers.  The client just needs a vulnerable library.

> Therefore my asumption is if the server side does only offer strong ciphers
> I do not have to worry too much about the ability to exploit the FREAK
> vulnerability e.g. in android clients.

Yes, if the server disables EXPORT ciphers the clients are safe
with *that* server, but will remain vulnerable with other servers.
The clients do need to be patched.

--
        Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

This message has been scanned for malware by Websense. www.websense.com
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] How to disable all EXPORT Ciphers?

Dave Thompson-5
In reply to this post by Viktor Dukhovni
> From: openssl-users On Behalf Of Viktor Dukhovni
> Sent: Monday, March 09, 2015 12:47

> On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
> > "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"
> > with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56
> and 1024?
>
You only need worry about the original exports retronymed EXPORT40.
EXPORT56 was a draft RFC that was not adopted, and the SSL_CIPHER
blocks still in source are disabled by a macro hardcoded in tls1.h (q.v.).
"EXP1024-blah" would be the names of the nonexistent EXPORT56 ciphers.

> Note that doing so does not address the FREAK CVE in SSL clients.  Even
> with EXPORT ciphers disabled they are still vulnerable, unless patched!
>
Yes.

> As for your proposed cipherlist it is too exotic.
>
>     * ALL:!ADH is simply DEFAULT.  DEFAULT already prefers PFS (including
>       ECDHE) and is sorted by strength.
>
For 1.0.0+ DEFAULT is ALL:!aNULL:!eNULL:!SSLv2; !aNULL disables both
ADH and AECDH. (0.9.8 excludes all ECC, including AECDH, unless ECCdraft.)
!eNULL actually has no effect because ALL already excludes it; if you want
eNULL (you shouldn't) you need the absurd-looking COMPLEMENTOFALL.

>     * DES is a subset of LOW
>
In fact DES is the only algorithm in LOW. (In math a set is a subset of
itself
and also a superset of itself but laypeople often don't expect that.)

>     * I would also disable SSLv2, which is a subset of MD5, so I generally
>       disable that instead which also drops the SSLv3's RC4-MD5 leaving
RC4-
> SHA
>       for interop.  Note for many applications RC4 is no longer supposed
to be
>       used, consider whether disabling RC4 is appropriate for you.
>
And disabling SSLv2 *ciphers* has the good effect of disabling SSLv2
*protocol*
even if old or poor code calls SSLv23 and doesn't explicitly OP_NO_SSLv2.

> Therefore, I'd suggest:
>
> DEFAULT:!EXPORT:!LOW:!MD5
>
> Which keeps things simple by starting with DEFAULT and removing
> what you want to disable.
>


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users