Bug 1227

Summary: Unbound control allows weak ciphersuits
Product: unbound Reporter: chogomislu
Component: serverAssignee: unbound team <unbound-team>
Status: RESOLVED FIXED    
Severity: normal CC: cathya, wouter
Priority: P5    
Version: 1.6.1   
Hardware: Other   
OS: Windows   

Description chogomislu 2017-02-27 14:23:00 CET
Cipherscan https://github.com/mozilla/cipherscan reveals that unbound control is permitting the use of many weak ciphersuits:

https://paste.debian.net/917083/

At the very least, the ciphersuits that use Camellia, SEED, IDEA, RC4, 3DES, MD5, SHA1 should be removed and only TLSv1.2 was allowed.

There are also too many elliptic curves supported, many of them weak. Only prime256v1 and secp384r1 need to be supported.
Comment 1 Wouter Wijngaards 2017-02-27 15:44:09 CET
Hi Chogomislu,

So, is this the correct fix, using openssl?  It will allow only TLSv1.2 if that exists in the openssl version we are compiling with.

I think that solves most of your quesions, but I am not sure how to go about the curve allowance you want?

#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
        /* if we have tls 1.1 disable 1.0 */
        if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
                != SSL_OP_NO_TLSv1){
                log_crypto_err("could not set SSL_OP_NO_TLSv1");
                daemon_remote_delete(rc);
                return NULL;
        }
#endif
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
        /* if we have tls 1.2 disable 1.1 */
        if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
                != SSL_OP_NO_TLSv1_1){
                log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
                daemon_remote_delete(rc);
                return NULL;
        }
#endif


Best regards, Wouter
Comment 2 Wouter Wijngaards 2017-02-27 16:25:08 CET
Hi Chogomislu,

I also added this to disable the bad ciphers you listed, I hope this is ok?

SSL_CTX_set_cipher_list(rc->ctx, "DEFAULT:!CAMELLIA128:!CAMELLIA256:!SEED:!IDEA:!RC4:!3DES:!DES:!MD5:!SHA:!sect283k1:!sect283r1:!sect409k1:!sect409r1:!sect571k1:!sect571r1:!secp256k1:!brainpoolP256r1:!brainpoolP384r1:!brainpoolP512r1")

Best regards, Wouter
Comment 3 chogomislu 2017-02-27 18:05:13 CET
The disabling of TLSv1.0 & TLSv1.1 looks good.

The ciphersuit list you provided is not ideal - it ends up enabling some bad ciphersuits.

It is better to directly specify the ciphersuits to be supported.

If we are to enable only ciphersuits that have no known vulnerabilities, we end up with:

SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")

I tested the above and it works and is backwards compatible.

You can use https://wiki.mozilla.org/Security/Server_Side_TLS for inspiration.

The disabling of elliptic curves seems a little more complicated and I cannot provide advice about that right now.
Comment 4 Wouter Wijngaards 2017-02-28 09:24:30 CET
Hi Chogomislu,

I applied the cipherlist you gave.  Thanks!

Best regards, Wouter