From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] set OpenSSL DEFAULT cipher list to secure value
Date: Sat, 20 Jan 2018 15:28:57 +0100
Message-ID: <20180120152857.538069c6.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4277350947625446537=="
List-Id: <development.lists.ipfire.org>

--===============4277350947625446537==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Only use secure cipher list for the OpenSSL DEFAULT list:
* ECDSA is preferred over RSA since it is faster and more scalable
* TLS 1.2 suites are preferred over anything older
* weak ciphers such as RC4 and 3DES have been eliminated
* AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem)
* ciphers without PFS are moved to the end of the cipher list

The DEFAULT cipher list is now ("openssl ciphers -v"):

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM(2=
56) Mac=3DAEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  Ma=
c=3DSHA384
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM(1=
28) Mac=3DAEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  Ma=
c=3DSHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(256)=
 Mac=3DAEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA384
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(128)=
 Mac=3DAEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(256) M=
ac=3DAEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(128) M=
ac=3DAEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  Mac=3D=
SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  Mac=3D=
SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
DHE-RSA-AES256-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(256) Mac=
=3DSHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(128) Mac=
=3DSHA1
AES256-GCM-SHA384       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(256) Mac=
=3DAEAD
AES256-SHA256           TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
AES128-GCM-SHA256       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(128) Mac=
=3DAEAD
AES128-SHA256           TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
AES256-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
CAMELLIA256-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(256) Mac=
=3DSHA1
AES128-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
CAMELLIA128-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(128) Mac=
=3DSHA1

This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/20=
17-12-04).

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
---
 lfs/openssl                                   |  2 +-
 src/patches/openssl-1.0.2n-weak-ciphers.patch | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 src/patches/openssl-1.0.2n-weak-ciphers.patch

diff --git a/lfs/openssl b/lfs/openssl
index 6050768ec..65d738d0f 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -126,7 +126,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-en=
ginesdir.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuil=
d.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ci=
phers.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2n-weak-ci=
phers.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable=
-sslv2v3.patch
=20
 	# i586 specific patches
diff --git a/src/patches/openssl-1.0.2n-weak-ciphers.patch b/src/patches/open=
ssl-1.0.2n-weak-ciphers.patch
new file mode 100644
index 000000000..9fb4051e3
--- /dev/null
+++ b/src/patches/openssl-1.0.2n-weak-ciphers.patch
@@ -0,0 +1,12 @@
+diff -Naur openssl-1.0.2n-orig/ssl/ssl.h openssl-1.0.2n/ssl/ssl.h
+--- openssl-1.0.2n-orig/ssl/ssl.h	2017-12-07 14:16:42.000000000 +0100
++++ openssl-1.0.2n/ssl/ssl.h	2018-01-20 11:56:02.477927590 +0100
+@@ -338,7 +338,7 @@
+  * The following cipher list is used by default. It also is substituted when
+  * an application-defined cipher list string starts with 'DEFAULT'.
+  */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
++# define SSL_DEFAULT_CIPHER_LIST "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+kRSA:=
!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!kECDH:!IDEA:!SEED:!RC4:!kDH:!DS=
S"
+ /*
+  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+  * starts with a reasonable order, and all we have to do for DEFAULT is
--=20
2.13.6


--===============4277350947625446537==--