From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] set OpenSSL 1.1.0 DEFAULT cipher list to secure value
Date: Tue, 27 Feb 2018 18:35:22 +0100
Message-ID: <20180227183522.7f45d376.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4003228559021306121=="
List-Id: <development.lists.ipfire.org>

--===============4003228559021306121==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Only use secure cipher list for the OpenSSL DEFAULT list:
* ECDSA is preferred over RSA since it is faster and more scalable
* TLS 1.2 suites are preferred over anything older
* weak ciphers such as RC4 and 3DES have been eliminated
* AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem)
* ciphers without PFS are moved to the end of the cipher list

This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites
where they are since they are considered secure and there is no
need to change anything.

The DEFAULT cipher list is now (output of "openssl ciphers -v"):

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM(2=
56) Mac=3DAEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCHACHA20=
/POLY1305(256) Mac=3DAEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESCCM8(256) M=
ac=3DAEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESCCM(256) Ma=
c=3DAEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM(1=
28) Mac=3DAEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESCCM8(128) M=
ac=3DAEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESCCM(128) Ma=
c=3DAEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  Ma=
c=3DSHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCamelli=
a(256) Mac=3DSHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  Ma=
c=3DSHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCamelli=
a(128) Mac=3DSHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(256)=
 Mac=3DAEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCHACHA20/PO=
LY1305(256) Mac=3DAEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(128)=
 Mac=3DAEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCamellia(2=
56) Mac=3DSHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCamellia(1=
28) Mac=3DSHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(256) M=
ac=3DAEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCHACHA20/POLY=
1305(256) Mac=3DAEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESCCM8(256) Ma=
c=3DAEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESCCM(256) Mac=
=3DAEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(128) M=
ac=3DAEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESCCM8(128) Ma=
c=3DAEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESCCM(128) Mac=
=3DAEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(256=
) Mac=3DSHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(128=
) Mac=3DSHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  Mac=3D=
SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  Mac=3D=
SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
DHE-RSA-AES256-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(256) Mac=
=3DSHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(128) Mac=
=3DSHA1
AES256-GCM-SHA384       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(256) Mac=
=3DAEAD
AES256-CCM8             TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESCCM8(256) Ma=
c=3DAEAD
AES256-CCM              TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESCCM(256) Mac=
=3DAEAD
AES128-GCM-SHA256       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(128) Mac=
=3DAEAD
AES128-CCM8             TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESCCM8(128) Ma=
c=3DAEAD
AES128-CCM              TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESCCM(128) Mac=
=3DAEAD
AES256-SHA256           TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(256) M=
ac=3DSHA256
AES128-SHA256           TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(128) M=
ac=3DSHA256
AES256-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
CAMELLIA256-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(256) Mac=
=3DSHA1
AES128-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
CAMELLIA128-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(128) Mac=
=3DSHA1

This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/20=
17-12-04)
and for a similar patch written for OpenSSL 1.0.x.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
---
 lfs/openssl                                   |  3 +++
 src/patches/openssl-1.1.0g-weak-ciphers.patch | 11 +++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 src/patches/openssl-1.1.0g-weak-ciphers.patch

diff --git a/lfs/openssl b/lfs/openssl
index bd7098039..6e17e79e6 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -131,6 +131,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS) \
 		$(CFLAGS) $(LDFLAGS)
=20
+	# Apply patch for changing DEFAULT cipher list (needed after configure)
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0g-weak-ci=
phers.patch
+
 	cd $(DIR_APP) && make depend
 	cd $(DIR_APP) && make
=20
diff --git a/src/patches/openssl-1.1.0g-weak-ciphers.patch b/src/patches/open=
ssl-1.1.0g-weak-ciphers.patch
new file mode 100644
index 000000000..66dad2bee
--- /dev/null
+++ b/src/patches/openssl-1.1.0g-weak-ciphers.patch
@@ -0,0 +1,11 @@
+--- openssl-1.1.0g-orig/include/openssl/ssl.h	2017-11-02 15:29:05.000000000 =
+0100
++++ openssl-1.1.0g/include/openssl/ssl.h	2018-02-27 18:23:43.522649728 +0100
+@@ -194,7 +194,7 @@
+  * The following cipher list is used by default. It also is substituted when
+  * an application-defined cipher list string starts with 'DEFAULT'.
+  */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
++# define SSL_DEFAULT_CIPHER_LIST "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+kRSA:=
!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!kECDH:!IDEA:!SEED:!RC4:!kDH:!DS=
S"
+ /*
+  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+  * starts with a reasonable order, and all we have to do for DEFAULT is
--=20
2.13.6


--===============4003228559021306121==--