From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tom Rymes <trymes@rymes.com>
To: development@lists.ipfire.org
Subject: Re: [PATCH] set OpenSSL DEFAULT cipher list to secure value
Date: Sun, 21 Jan 2018 16:00:25 -0500
Message-ID: <613C0B52-23BB-4FE1-81CD-DD4CAC6E8D27@rymes.com>
In-Reply-To: <1516564460.2936.4.camel@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7359515048081041319=="
List-Id: <development.lists.ipfire.org>

--===============7359515048081041319==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

What would be the negative implications of this patch? Would existing tunnels=
 on production servers stop working?

> On Jan 21, 2018, at 2:55 PM, Paul Simmons <mbatranch(a)gmail.com> wrote:
>=20
>> On Sun, 2018-01-21 at 19:08 +0000, Michael Tremer wrote:
>> Hello,
>>=20
>> since there usually is a few people being opinionated about this sort
>> of changes, I will wait a little until we get the comments in. Let's
>> say a week.
>>=20
>> Best,
>> -Michael
>>=20
>>> On Sat, 2018-01-20 at 15:28 +0100, Peter M=C3=BCller wrote:
>>> Only use secure cipher list for the OpenSSL DEFAULT list:
>>> * ECDSA is preferred over RSA since it is faster and more scalable
>>> * TLS 1.2 suites are preferred over anything older
>>> * weak ciphers such as RC4 and 3DES have been eliminated
>>> * AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt"
>>> problem)
>>> * ciphers without PFS are moved to the end of the cipher list
>>>=20
>>> The DEFAULT cipher list is now ("openssl ciphers -v"):
>>>=20
>>> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA
>>> Enc=3DAESGCM(256) Mac=3DAEAD
>>> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA
>>> Enc=3DAES(256)  Mac=3DSHA384
>>> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA
>>> Enc=3DAESGCM(128) Mac=3DAEAD
>>> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA
>>> Enc=3DAES(128)  Mac=3DSHA256
>>> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
>>> Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(256) Mac=3DAEAD
>>> ECDHE-RSA-AES256-SHA384 TLSv1.2
>>> Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=3DSHA384
>>> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
>>> Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(128) Mac=3DAEAD
>>> ECDHE-RSA-AES128-SHA256 TLSv1.2
>>> Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=3DSHA256
>>> DHE-RSA-AES256-GCM-SHA384 TLSv1.2
>>> Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(256) Mac=3DAEAD
>>> DHE-RSA-AES256-SHA256   TLSv1.2
>>> Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=3DSHA256
>>> DHE-RSA-AES128-GCM-SHA256 TLSv1.2
>>> Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(128) Mac=3DAEAD
>>> DHE-RSA-AES128-SHA256   TLSv1.2
>>> Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=3DSHA256
>>> ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=3DECDH     Au=3DECDSA
>>> Enc=3DAES(256)  Mac=3DSHA1
>>> ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=3DECDH     Au=3DECDSA
>>> Enc=3DAES(128)  Mac=3DSHA1
>>> ECDHE-RSA-AES256-SHA    SSLv3
>>> Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=3DSHA1
>>> ECDHE-RSA-AES128-SHA    SSLv3
>>> Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=3DSHA1
>>> DHE-RSA-AES256-SHA      SSLv3
>>> Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=3DSHA1
>>> DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(256)
>>> Mac=3DSHA1
>>> DHE-RSA-AES128-SHA      SSLv3
>>> Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=3DSHA1
>>> DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(128)
>>> Mac=3DSHA1
>>> AES256-GCM-SHA384       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(256)
>>> Mac=3DAEAD
>>> AES256-SHA256           TLSv1.2
>>> Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=3DSHA256
>>> AES128-GCM-SHA256       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(128)
>>> Mac=3DAEAD
>>> AES128-SHA256           TLSv1.2
>>> Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=3DSHA256
>>> AES256-SHA              SSLv3
>>> Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=3DSHA1
>>> CAMELLIA256-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(256)
>>> Mac=3DSHA1
>>> AES128-SHA              SSLv3
>>> Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=3DSHA1
>>> CAMELLIA128-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(128)
>>> Mac=3DSHA1
>>>=20
>>> This has been discussed at 2017-12-04 (https://wiki.ipfire.org/deve
>>> l/telco/2017-12-04).
>>>=20
>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
>>> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
>>> ---
>>> lfs/openssl                                   |  2 +-
>>> src/patches/openssl-1.0.2n-weak-ciphers.patch | 12 ++++++++++++
>>> 2 files changed, 13 insertions(+), 1 deletion(-)
>>> create mode 100644 src/patches/openssl-1.0.2n-weak-ciphers.patch
>>>=20
>>> diff --git a/lfs/openssl b/lfs/openssl
>>> index 6050768ec..65d738d0f 100644
>>> --- a/lfs/openssl
>>> +++ b/lfs/openssl
>>> @@ -126,7 +126,7 @@ $(TARGET) : $(patsubst
>>> %,$(DIR_DL)/%,$(objects))
>>>    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf
>>> $(DIR_DL)/$(DL_FILE)
>>>    cd $(DIR_APP) && patch -Np1 <
>>> $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
>>>    cd $(DIR_APP) && patch -Np1 <
>>> $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
>>> -    cd $(DIR_APP) && patch -Np1 <
>>> $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ciphers.patch
>>> +    cd $(DIR_APP) && patch -Np1 <
>>> $(DIR_SRC)/src/patches/openssl-1.0.2n-weak-ciphers.patch
>>>    cd $(DIR_APP) && patch -Np1 <
>>> $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch
>>>=20
>>>    # i586 specific patches
>>> diff --git a/src/patches/openssl-1.0.2n-weak-ciphers.patch
>>> b/src/patches/openssl-1.0.2n-weak-ciphers.patch
>>> new file mode 100644
>>> index 000000000..9fb4051e3
>>> --- /dev/null
>>> +++ b/src/patches/openssl-1.0.2n-weak-ciphers.patch
>>> @@ -0,0 +1,12 @@
>>> +diff -Naur openssl-1.0.2n-orig/ssl/ssl.h openssl-1.0.2n/ssl/ssl.h
>>> +--- openssl-1.0.2n-orig/ssl/ssl.h    2017-12-07
>>> 14:16:42.000000000 +0100
>>> ++++ openssl-1.0.2n/ssl/ssl.h    2018-01-20 11:56:02.477927590
>>> +0100
>>> +@@ -338,7 +338,7 @@
>>> +  * The following cipher list is used by default. It also is
>>> substituted when
>>> +  * an application-defined cipher list string starts with
>>> 'DEFAULT'.
>>> +  */
>>> +-# define SSL_DEFAULT_CIPHER_LIST
>>> "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
>>> ++# define SSL_DEFAULT_CIPHER_LIST
>>> "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+kRSA:!aNULL:!eNULL:!LOW:!3DES:
>>> !MD5:!EXP:!PSK:!SRP:!kECDH:!IDEA:!SEED:!RC4:!kDH:!DSS"
>>> + /*
>>> +  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in
>>> ssl/ssl_ciph.c always
>>> +  * starts with a reasonable order, and all we have to do for
>>> DEFAULT is
>=20
> Since some IPFire users are ignorant of the latest and greatest security=20
> discussions, implementing this patch will help many of us to adhere to=20
> best practices.  Therefore, I support this patch.
>=20
> Best,
> Paul Simmons

--===============7359515048081041319==--