Skip to content

ssl: conditionally set explicit cipher suite list #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 18, 2016
Merged

ssl: conditionally set explicit cipher suite list #66

merged 1 commit into from
Aug 18, 2016
+47 −52

Conversation

rhenium
Copy link
Member

@rhenium rhenium commented Aug 14, 2016

Don't set in SSLContext#set_params when built with OpenSSL 1.1.0 or
newer.

The list was added as a workaround to exclude known weak cipher suites
([Bug #9424]). In OpenSSL <= 1.0.2, the default list (DEFAULT) included
even cipher suites using MD5. Now, OpenSSL 1.1.0 has better DEFAULT. So
make SSLContext#set_params just use it.

Here is the diff between our current explicit list and DEFAULT of
OpenSSL 1.1.0-pre6 (with sorted):

$ list_ruby=$(openssl ciphers -v $(ruby -ropenssl -e'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]') | sort)
$ list_default=$(openssl ciphers -v 'DEAFULT:!PSK:!SRP' | sort)
$ diff <(echo "$list_ruby") <(echo "$list_default")
7,12c7
< DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
< DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
< DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
< DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
< DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
< DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1

---
> DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
18a14,15
> DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> DHE-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
24a22,23
> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
30a30,31
> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1

@rhenium
ssl: conditionally set explicit cipher suite list

Verified

This commit was signed with the committer’s verified signature.
rhenium Kazuki Yamaguchi
GPG key ID: E00235F75ABDE487
Verified
Learn about vigilant mode
b9aea27 
Don't set in SSLContext#set_params when built with OpenSSL 1.1.0 or
newer.

The list was added as a workaround to exclude known weak cipher suites
([Bug #9424]). In OpenSSL <= 1.0.2, the default list (DEFAULT) included
even cipher suites using MD5. Now, OpenSSL 1.1.0 has better DEFAULT. So
make SSLContext#set_params just use it.

Here is the diff between our current explicit list and DEFAULT of
OpenSSL 1.1.0-pre6 (with sorted):

  $ list_ruby=$(openssl ciphers -v $(ruby -ropenssl -e'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]') | sort)
  $ list_default=$(openssl ciphers -v 'DEAFULT:!PSK:!SRP' | sort)
  $ diff <(echo "$list_ruby") <(echo "$list_default")
  7,12c7
  < DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
  < DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
  < DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
  < DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
  < DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
  < DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
  ---
  > DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
  18a14,15
  > DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
  > DHE-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
  24a22,23
  > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
  > ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
  30a30,31
  > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
  > ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
@tarcieri
Copy link
Collaborator

tarcieri commented Aug 14, 2016
edited
Loading

Hmm, as it were, there are things I don't like in either list:

Ruby

  • DSS (i.e. DSA): has been removed from TLS 1.3. A systematic survey of the Internet found (I believe) only one DSA cert being used in the wild in conjunction with TLS.

OpenSSL

  • 3DES: there's nothing technically wrong with 3DES, aside from DES's usage of a small block size (64-bits versus AES's 128-bits) and CBC mode not being an AEAD mode, but I find it odd they would continue to leave it on by default as it has generally lost favor (perhaps for FIPS purposes?)

Either way, it would be nice to see ChaCha20+Poly1305 included by default.

So I guess that's a weak 👍 from me.

@rhenium
Copy link
Member Author

rhenium commented Aug 15, 2016

Thanks.

I guess OpenSSL left 3DES because it is the MTI cipher suite in TLS 1.0/1.1, or for Windows XP compatibility.

Yes, actually my main point of this patch is ChaCha20-Poly1305. I could just add them to the list, but given that OpenSSL refreshed the defaults, I think it's good timing to get back to it. Ruby/OpenSSL is not in a position to judge what is secure and the explicit list is just a workaround. I really hope future versions of OpenSSL will keep it secure...

@rhenium rhenium merged commit b9aea27 into ruby:master Aug 18, 2016
@tarcieri
Copy link
Collaborator

For what it's worth: practical birthday attacks on 64-bit block ciphers in TLS, including 3DES:

https://sweet32.info/

@rhenium
Copy link
Member Author

rhenium commented Aug 24, 2016

And OpenSSL has removed 3DES from DEFAULT: openssl/openssl@ef28891

The new full list:

$ ./openssl ciphers -V 'DEFAULT:!SRP:!PSK'
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

@tarcieri
Copy link
Collaborator

Just in time too! OpenSSL 1.1.0 was just released: https://www.openssl.org/news/openssl-1.1.0-notes.html

@larissa larissa mentioned this pull request Jan 31, 2017
Closed
@fschuindt fschuindt mentioned this pull request Dec 11, 2017
Merged
@gfguthrie gfguthrie mentioned this pull request Nov 5, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rhenium @tarcieri