Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow the auth ciphers to be specified with the -c option #1208

Merged
merged 1 commit into from
Aug 5, 2017
Merged

Allow the auth ciphers to be specified with the -c option #1208

merged 1 commit into from
Aug 5, 2017

Conversation

chewi
Copy link
Contributor

@chewi chewi commented Jul 25, 2017

The current list is too weak for PCI-DSS.

@ddpbsd
Copy link
Member

ddpbsd commented Jul 27, 2017

Thanks for the pull request! It looks like you copied the same default ciphers that are currently used. Is there some guidance on what should be the default (I don't have to deal with PCI-DSS)? I'd rather set the default to something better than force everyone to have to figure it out on their own.

@chewi
Copy link
Contributor Author

chewi commented Jul 27, 2017

This is decided by our security officer so I don't know exactly which ciphers were bad but he chose:

HIGH:!ADH:!LOW:!EXP:!MD5:!3DES:!CAMELLIA:@STRENGTH

If that works for you, I'll make the change.

@nbuuck
Copy link
Contributor

nbuuck commented Jul 27, 2017

It might be interesting or valuable to do a packet capture of the handshake to see what is getting offered by the client and server with that cipher list string. I'm particularly interested in RC4, as OpenSSL Docs -
Ciphers indicates that RC4 is its own cipher class but the proposed cipher list doesn't remove RC4 which is a cipher that should be avoided.

@chewi
Copy link
Contributor Author

chewi commented Jul 27, 2017
edited
Loading

What makes you think RC4 is included? Notice that ALL is not in the list. Here is the corresponding list of ciphers. RC4 is not present.

$ openssl ciphers -v 'HIGH:!ADH:!LOW:!EXP:!MD5:!3DES:!CAMELLIA:@STRENGTH'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1

@nbuuck
Copy link
Contributor

nbuuck commented Jul 27, 2017

I didn't claim that it was included and I provided my reasoning for how RC4 could be unintentionally allowed, so I don't have anything further to offer, @chewi.

@ddpbsd
Copy link
Member

ddpbsd commented Jul 27, 2017

HIGH might exclude RC4. Their documentation is not explicit.

@chewi
Copy link
Contributor Author

chewi commented Jul 27, 2017

Fair enough, @nbuuck. He created this list in the context of our environment, which has recent versions of OpenSSL everywhere, so perhaps this would be weaker on older systems. Having said that, you don't have to go that far back for TLS v1.2 to be unsupported anyway. I imagine these classifications evolve over time but I think it's fair to say that if RC4 is not in HIGH now then it will never be in HIGH again.

@chewi
Copy link
Contributor Author

chewi commented Jul 28, 2017

Clearer head today. How about we go with this?

HIGH:!ADH:!EXP:MD5:!RC4:!3DES:!CAMELLIA:@strength

No risk of RC4 appearing. !LOW shouldn't be needed as it should never overlap with HIGH.

@ddpbsd
Copy link
Member

ddpbsd commented Jul 28, 2017

Should that exclude MD5?

HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@strength

@nbuuck
Copy link
Contributor

nbuuck commented Jul 28, 2017

@ddpbsd Preferably, yes: https://wiki.mozilla.org/Security/Server_Side_TLS#Mandatory_discards

@nbuuck
Copy link
Contributor

nbuuck commented Jul 28, 2017
edited
Loading

This is outside of the scope of this PR - and I do think the PR should be merged - but the project's OpenSSL implementation should be reviewed. The current implementation doesn't initialize Diffie-Hellman parameters so there's no Perfect Forward Secrecy for the TLS communications. This silently excludes any cipher suites listed in a previous comment on this PR that contain the string "DHE" (in which E means Ephemeral, providing PFS) per the wiki page linked.

@ddpbsd
Copy link
Member

ddpbsd commented Jul 28, 2017

@nbuuck feel free to open an issue on that

@nbuuck
Copy link
Contributor

nbuuck commented Jul 29, 2017
edited
Loading

Building master with openssl-1.0.2l, the following ciphers are advertised by the server ossec-authd using the cipher string in master:

PORT     STATE SERVICE            VERSION
1515/tcp open  ssl/ifor-protocol?
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: weak

And this is the result with the latest cipher list string (including !MD5):

PORT     STATE SERVICE            VERSION
1515/tcp open  ssl/ifor-protocol?
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

The new cipher list string is a marked improvement, though it is worth noting the cipher suites available are significantly fewer than what should be possible with such a string when using an OpenSSL context created with TLSv1_2_method(): https://gist.github.com/nbuuck/f000acb5d109bdcf90f866bf8456e68e

@chewi
Allow the auth ciphers to be specified with the -c option
7cc360b 
This also updates the default cipher list. The current list is too
weak for PCI-DSS.
@chewi
Copy link
Contributor Author

chewi commented Jul 30, 2017

I have amended the commit with the new list. Thanks for pointing out the Diffie-Hellman issue.

@ddpbsd ddpbsd merged commit c7ee2c1 into ossec:master Aug 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chewi @ddpbsd @nbuuck