Bug 1227 - Unbound control allows weak ciphersuits
Unbound control allows weak ciphersuits
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.6.1
Other Windows
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-27 14:23 CET by chogomislu
Modified: 2017-02-28 09:24 CET (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description chogomislu 2017-02-27 14:23:00 CET
Cipherscan https://github.com/mozilla/cipherscan reveals that unbound control is permitting the use of many weak ciphersuits:

https://paste.debian.net/917083/

At the very least, the ciphersuits that use Camellia, SEED, IDEA, RC4, 3DES, MD5, SHA1 should be removed and only TLSv1.2 was allowed.

There are also too many elliptic curves supported, many of them weak. Only prime256v1 and secp384r1 need to be supported.
Comment 1 Wouter Wijngaards 2017-02-27 15:44:09 CET
Hi Chogomislu,

So, is this the correct fix, using openssl?  It will allow only TLSv1.2 if that exists in the openssl version we are compiling with.

I think that solves most of your quesions, but I am not sure how to go about the curve allowance you want?

#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
        /* if we have tls 1.1 disable 1.0 */
        if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
                != SSL_OP_NO_TLSv1){
                log_crypto_err("could not set SSL_OP_NO_TLSv1");
                daemon_remote_delete(rc);
                return NULL;
        }
#endif
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
        /* if we have tls 1.2 disable 1.1 */
        if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
                != SSL_OP_NO_TLSv1_1){
                log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
                daemon_remote_delete(rc);
                return NULL;
        }
#endif


Best regards, Wouter
Comment 2 Wouter Wijngaards 2017-02-27 16:25:08 CET
Hi Chogomislu,

I also added this to disable the bad ciphers you listed, I hope this is ok?

SSL_CTX_set_cipher_list(rc->ctx, "DEFAULT:!CAMELLIA128:!CAMELLIA256:!SEED:!IDEA:!RC4:!3DES:!DES:!MD5:!SHA:!sect283k1:!sect283r1:!sect409k1:!sect409r1:!sect571k1:!sect571r1:!secp256k1:!brainpoolP256r1:!brainpoolP384r1:!brainpoolP512r1")

Best regards, Wouter
Comment 3 chogomislu 2017-02-27 18:05:13 CET
The disabling of TLSv1.0 & TLSv1.1 looks good.

The ciphersuit list you provided is not ideal - it ends up enabling some bad ciphersuits.

It is better to directly specify the ciphersuits to be supported.

If we are to enable only ciphersuits that have no known vulnerabilities, we end up with:

SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")

I tested the above and it works and is backwards compatible.

You can use https://wiki.mozilla.org/Security/Server_Side_TLS for inspiration.

The disabling of elliptic curves seems a little more complicated and I cannot provide advice about that right now.
Comment 4 Wouter Wijngaards 2017-02-28 09:24:30 CET
Hi Chogomislu,

I applied the cipherlist you gave.  Thanks!

Best regards, Wouter