< Previous by Date	Date Index	Next by Date >
	Thread Index	Next in Thread >

[reSIProcate] reviewing TLS version code

From: Daniel Pocock <daniel@xxxxxxxxxx>
Date: Sat, 06 Dec 2014 19:36:37 +0100


There are some issues around how the TLS version is chosen.

reSIProcate (the library) offers a choice between using OpenSSL
SSLv23_method() and TLSv1_method().  These are described in the OpenSSL
docs[1].

repro, the proxy, has simply been using TLSv1_method().  I've just added
a configuration option to allow users to select SSLv23_method(),
although TLSv1_method is still default.

Some people may be thinking that is bad news, with SSLv2 being
considered dangerous and SSLv3 now being shunned as well thanks to the
POODLE[2] exploit.

Looking closely at the OpenSSL docs, it says that SSLv23_method "may
understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols".
"may" meaning it is not definitely exposing the system to SSLv2 and
SSLv3.  In practice, most recent OpenSSL builds don't have SSLv2 support
at all and there are other options to disable SSLv3 at runtime.

What SSLv23_method does actually do is to allow a dynamic choice of TLS
version.

If TLSv1_method() is used (as hardcoded in repro right now) then that
means ONLY TLS v1.0 and not v1.1 or v1.2 or beyond.

On the other handing,
- using SSLv23_method allows any the TLS versions (1.0, 1.1 and 1.2)
- using SSLv23_method does not enable SSLv2 if the OpenSSL binary was
not compiled with SSLv2 support or if SSL_OP_NO_SSL2 is used
- using SSLv23_method and setting SSL_OP_NO_SSL3 eliminates SSLv3
support and the POODLE risk while allowing a dynamic choice of TLS v1.0,
v1.1 or v1.2

To summarize, SSLv23_method with SSL_OP_NO_SSL3 may be better for
compatibility.  The only question is

a) how to implement this in reSIProcate while still allowing users of
the stack some flexibility to override

b) how to do this in a way that ensures ABI compatibility.  Not only
would I like to backport the change to v1.9.x but there may be more
vulnerabilities in future where changes to this code have to be
backported without breaking ABI.

As a side-issue, I found that manually adding SSLv3 to
BaseSecurity::ExportableSuite increases the number of possible ciphers
and while I wouldn't recommend using some of them, I can understand that
some users of the stack may also want an easy way to enable them in
certain situations.

I ran nmap against repro to show what it understands and I attach the
output for each of these permutations:

a) TLSv1_method with SSLv3 in ExportableSuite
b) SSLv23_method with SSLv3 in ExportableSuite
c) SSLv23_method without SSLv3 in ExportableSuite

In particular, notice that the SSLv23_method output files all include
TLS v1.1 and v1.2 while the TLSv1 output doesn't show that.


1. https://www.openssl.org/docs/ssl/SSL_CTX_new.html

2. https://www.us-cert.gov/ncas/alerts/TA14-290A

In this case, SSLv3 is not in the ciphersuite

$ nmap --script ssl-enum-ciphers 195.8.117.56 -p 5061

Starting Nmap 6.00 ( http://nmap.org ) at 2014-12-06 18:42 CET
Nmap scan report for 195.8.117.56
Host is up (0.027s latency).
PORT     STATE SERVICE
5061/tcp open  sip-tls
| ssl-enum-ciphers: 
|   SSLv3
|     Ciphers (6)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|   TLSv1.0
|     Ciphers (6)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|   TLSv1.1
|     Ciphers (6)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|   TLSv1.2
|     Ciphers (10)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|_  Least strength = unknown strength

Nmap done: 1 IP address (1 host up) scanned in 51.45 seconds

In this case, SSLv3 is in the ciphersuite

$ nmap --script ssl-enum-ciphers 195.8.117.56 -p 5061

Starting Nmap 6.00 ( http://nmap.org ) at 2014-12-06 18:31 CET
Nmap scan report for 195.8.117.56
Host is up (0.027s latency).
PORT     STATE SERVICE
5061/tcp open  sip-tls
| ssl-enum-ciphers: 
|   SSLv3
|     Ciphers (11)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_NULL_MD5 - unknown strength
|       TLS_RSA_WITH_NULL_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
|     Compressors (1)
|       NULL
|   TLSv1.0
|     Ciphers (11)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_NULL_MD5 - unknown strength
|       TLS_RSA_WITH_NULL_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
|     Compressors (1)
|       NULL
|   TLSv1.1
|     Ciphers (11)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_NULL_MD5 - unknown strength
|       TLS_RSA_WITH_NULL_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
|     Compressors (1)
|       NULL
|   TLSv1.2
|     Ciphers (15)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_NULL_MD5 - unknown strength
|       TLS_RSA_WITH_NULL_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
|     Compressors (1)
|       NULL
|_  Least strength = unknown strength

Nmap done: 1 IP address (1 host up) scanned in 52.89 seconds

In this case, SSLv3 is in the ciphersuite

$ nmap --script ssl-enum-ciphers 195.8.117.56 -p 5061

Starting Nmap 6.00 ( http://nmap.org ) at 2014-12-06 18:05 CET
Nmap scan report for 195.8.117.56
Host is up (0.027s latency).
PORT     STATE SERVICE
5061/tcp open  sip-tls
| ssl-enum-ciphers: 
|   TLSv1.0
|     Ciphers (11)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_NULL_MD5 - unknown strength
|       TLS_RSA_WITH_NULL_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
|     Compressors (1)
|       NULL
|_  Least strength = unknown strength

Nmap done: 1 IP address (1 host up) scanned in 23.58 seconds

Follow-Ups:
- Re: [reSIProcate] reviewing TLS version code
  - From: Daniel Pocock

Prev by Date: Re: [reSIProcate] Register to other SipServer
Next by Date: Re: [reSIProcate] reviewing TLS version code
Previous by thread: Re: [reSIProcate] Register to other SipServer
Next by thread: Re: [reSIProcate] reviewing TLS version code
Index(es):
- Date
- Thread