OpenSSL Ciphers

Doug Hardie bc979 at lafn.org
Sun Mar 8 08:20:10 UTC 2015 

> On 7 March 2015, at 17:32, Doug Hardie <bc979 at lafn.org> wrote:
> 
> 
>> On 7 March 2015, at 15:13, Doug Hardie <bc979 at lafn.org> wrote:
>> 
>> 
>>> On 7 March 2015, at 08:49, dweimer <dweimer at dweimer.net> wrote:
>>> 
>>> On 03/07/2015 1:35 am, Doug Hardie wrote:
>>>>> On 6 March 2015, at 17:35, dweimer <dweimer at dweimer.net> wrote:
>>>>> On 03/06/2015 6:36 pm, Doug Hardie wrote:
>>>>>>> On 6 March 2015, at 16:28, Charles Swiger <cswiger at mac.com> wrote:
>>>>>>> Hi--
>>>>>>>> On Mar 6, 2015, at 3:58 PM, Doug Hardie <bc979 at lafn.org> wrote:
>>>>>>>>> On 3 March 2015, at 23:21, Doug Hardie <bc979 at lafn.org> wrote:
>>>>>>>>> The default list of ciphers is quite extensive and includes some that are apparently causing some potential security issues.  I have a number of applications that use OpenSSL and many don’t have the code to restrict the list.  Fixing all that would take quite a bit of work.  However, looking into /usr/include/openssl/ssl.h I find a definition for the SSL_DEFAULT_CIPHER_LIST.  The comments indicate that that list is the one used when the application doesn’t specify anything.  I changed its definition to:
>>>>>>>>> #define SSL_DEFAULT_CIPHER_LIST "TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH:
>>>>>>>>> However, s_connect will still create a connection with the export ciphers.  I tried adding !EXPORT to that list and it had no effect.  Is the definition actually used by openssl or is it just there for documentation?
>>>>>>>> Not hearing anything on this, I suspect it’s not very well understood.  I have started updating the various servers/clients that use SSL/TLS.  The one that has me completely stumped is sendmail.  There is a web page which provides instructions "http://novosial.org/sendmail/cipherlist/index.html”.  However, when I follow them, I can still establish a connection and deliver mail using the export ciphers.
>>>>>>>> Has anyone successfully restricted the sendmail ciphers?
>>>>>>> You can see which ciphers openssl will support via a statement like:
>>>>>>> % openssl ciphers -v 'TLSv1+HIGH:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH:!EXPORT'
>>>>>>> DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
>>>>>>> DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
>>>>>>> AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
>>>>>>> DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
>>>>>>> DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
>>>>>>> AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
>>>>>>> RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
>>>>>>> RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
>>>>>>> RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
>>>>>>> ...and you can experiment with TLS negotiation results via something like:
>>>>>>> % openssl s_client -cipher 'AES256-SHA:AES128-SHA' -connect www.google.com:443
>>>>>>> [ ... ]
>>>>>>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>>>>>>> Server public key is 2048 bit
>>>>>>> Secure Renegotiation IS supported
>>>>>>> Compression: NONE
>>>>>>> Expansion: NONE
>>>>>>> SSL-Session:
>>>>>>> Protocol  : TLSv1
>>>>>>> Cipher    : AES128-SHA
>>>>>>> Session-ID: [ ... ]
>>>>>>> Sendmail normally performs crypto via STARTTLS negotiation rather than via SMTPS; there's a CipherList option which can be defined via sendmail.mc / sendmail.cf.  You might need to recompile sendmail with -D_FFR_TLS_1, which I think that novosial page mentions.
>>>>>> sendmail has _FFR_TLS_1 compiled in per th tests in the web page
>>>>>> mentioned above.  The CipherList option doesn’t seem to work.  I can
>>>>>> connect and send mail with that in place using the EXPORT ciphers.
>>>>> Doug,
>>>>> I have this added to my /etc/mail/{HOSTNAME}.mc file.
>>>>> LOCAL_CONFIG
>>>>> O CipherList=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
>>>>> Of course you can use other options, this has been there for a while in mine, carried over from some time a few versions back. Probably should get around to testing it to make sure it actually is still working. It doesn't take long to add it in and run a quick test.
>>>> As I replied earlier, I have done that.  I can still use:
>>>> openssl s_client -connect localhost:25 -starttls smtp -cipher EXPORT
>>> 
>>> Strange, it seems to be working on mine.
>>> 
>>> if I use the following, it connects:
>>> openssl s_client -connect 192.168.5.2:25 -starttls smtp
>>> CONNECTED(00000003)
>>> depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
>>> [snip]
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>>> Server public key is 4096 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>  Protocol  : TLSv1.2
>>>  Cipher    : DHE-RSA-AES256-GCM-SHA384
>>> [snip]
>>> 
>>> 
>>> if I use the cipher option specify aNULL it fails:
>>> 
>>> openssl s_client -connect 192.168.5.2:25 -starttls smtp -cipher aNULL
>>> CONNECTED(00000003)
>>> 34379254472:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/jails/devel/ROOT/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:770:
>>> ---
>>> no peer certificate available
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 353 bytes and written 234 bytes
>>> ---
>>> New, (NONE), Cipher is (NONE)
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>> 
>> Interesting.  That does seem to work for you.  I will have to do some more digging into the code.  For some reason it doesn’t work for me.  Thanks for that assistance.  
> 
> After more testing, I think you need to try:
> 
> openssl s_client -connect 192.168.5.2:25 -starttls smtp -cipher EXP
> 
> I suspect it will give:
> New, TLSv1/SSLv3, Cipher is EXP-DES-CBC-SHA
> 
> 
> That is the export cipher which is the problem.
> 

I found the problem.  Sendmail was not able to access the pid file.  Hence it would not shutdown.  There was no error message about that.  As a result, the existing processes were not terminated.  Starting sendmail again ran into the same issue.  That did generate a small error message that was hidden in a bunch of other messages (this is a production server).  When I ran the tests, it was the original server (without the CipherList entries that responded.  Thus it always accepted mail using any cipher.

Once I managed to terminate the original processes and get the new ones running, then the CipherList did work properly.  Thanks to all for the assistance.

I did encounter one very interesting side effect when building the cf file from the mc file for one system.  Sendmail threw an error when starting that line 46 was invalid.  Line 46 was in the middle of a string of blank lines.  I deleted 3 lines around it (all blank) and then sendmail is happy and works.  I suspect there is some non-printing character generated in that line, but I haven’t checked that out.

More information about the freebsd-questions mailing list