Unsupported RC4 cipher

[hasenberg41]

(Sorry for my english)
In my system and in docker i try use RubySMB::Client and receive error:
.../ruby_smb-3.2.5/lib/ruby_smb/ntlm/client.rb:33:in 'initialize': unsupported (OpenSSL::Cipher::CipherError)
This line contains code rc4 = OpenSSL::Cipher.new("rc4")
OpenSSL::Cipher.ciphers show me what rc4 already exists in a list of ciphers

I try recompile openssl for my linux with enable-weak-ssl-ciphers parameter - its not help
I try install openssl version 1.1.1f - it`s not help too
Also i fetch last version OpenSSL gem, change ssl.rb file - return RC4 ciphers to list back (I forgot commit which delete this). And its not help too

[cdelafuente-r7]

Hi, thank you for reporting this.

Please, could give me more information about your environment. I was not able to reproduce this error.

Do you get the same error in a IRB session?

3.0.2 :001 > require 'openssl'
 => true
3.0.2 :002 > OpenSSL::Cipher.new("rc4")
 => #<OpenSSL::Cipher:0x00007ff2a7a4ec68>

If not, would you mind sending the output of the following commands in IRB?

OpenSSL::OPENSSL_LIBRARY_VERSION
OpenSSL::OPENSSL_VERSION
OpenSSL::OPENSSL_VERSION_NUMBER
OpenSSL::VERSION
RUBY_VERSION
RUBY_PATCHLEVEL

Also, could you also try using bundle from the ruby_smb root directory?

bundle update
bundle exec irb

[adfoster-r7]

Please, could give me more information about your environment. I was not able to reproduce this error.

It replicates on a default Ubuntu 22.04 box with OpenSSL 3; If you were testing on a Kali environment or rvm compiled with its OpenSSL 1.1.1 package, it won't replicate. Kali ships global OpenSSL config to enable weak cyphers - for my env it's in /usr/share/kali-defaults/etc/ssl/openssl.cnf

Example of replication with Ubuntu 22.04:

3.1.2 :001 > require 'openssl'
 => true 
3.1.2 :002 > rc4 = OpenSSL::Cipher.new("rc4")
(irb):2:in `initialize': unsupported (OpenSSL::Cipher::CipherError)
        from (irb):2:in `new'                                                         
        from (irb):2:in `<main>'                                                      
        from /home/a/.rvm/gems/ruby-3.1.2/gems/irb-1.6.3/exe/irb:9:in `<top (required)>'
        from /home/a/.rvm/gems/ruby-3.1.2/bin/irb:25:in `load'                        
        from /home/a/.rvm/gems/ruby-3.1.2/bin/irb:25:in `<main>'                      
        from /home/a/.rvm/gems/ruby-3.1.2/bin/ruby_executable_hooks:22:in `eval'      
        from /home/a/.rvm/gems/ruby-3.1.2/bin/ruby_executable_hooks:22:in `<main>'    

To work around this issue, as part of ruby_smb's test suite we've added config to load the weak cyphers by default:
#234

For instance if you set the OpenSSL config setting to RubySMB's test config file before loading the OpenSSL library, things would work:

~/ruby_smb$ irb
3.1.2 :001 > ENV['OPENSSL_CONF'] = File.expand_path(File.join(File.dirname(__FILE__), 'spec', 'support', 'openssl.conf'))
 => "/home/a/ruby_smb/spec/support/openssl.conf" 
3.1.2 :002 > require 'openssl'
 => true 
3.1.2 :003 > rc4 = OpenSSL::Cipher.new("rc4")
 => #<OpenSSL::Cipher:0x00007f3eb0648e08> 

It would obviously be rude for the ruby_smb library to globally set weak ciphers, so it should be enabled in your app in a way that is aligned with your security requirements. There's also the possibility of us updating ruby_smb to use a native Ruby rc4 implementation etc similar to WinRb/rubyntlm#53 but I haven't done an audit for all of the legacy cyphers that we'd need to have native implementations for

[cdelafuente-r7]

Thanks @adfoster-r7 ! I would prefer a native Ruby implementation as you suggested.