Bug 1189952 - Disable SSL2 and the export cipher suites
Summary: Disable SSL2 and the export cipher suites
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1001841
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-05 23:50 UTC by Elio Maldonado Batiz
Modified: 2015-03-09 08:31 UTC (History)
12 users (show)

Fixed In Version: nss-3.17.4-5.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of: 1001841
Environment:
Last Closed: 2015-03-09 08:31:25 UTC


Attachments (Terms of Use)
disable ssl2 and export ciphers - ssl library part (3.30 KB, patch)
2015-02-06 02:35 UTC, Elio Maldonado Batiz
no flags Details | Diff
disable ssl2 and export ciphers - tests/ssl part (3.21 KB, patch)
2015-02-06 02:36 UTC, Elio Maldonado Batiz
no flags Details | Diff
fix shell syntax errors in some test scripts (2.92 KB, patch)
2015-02-06 02:38 UTC, Elio Maldonado Batiz
no flags Details | Diff
changes to nss.spec in patch format (12.11 KB, patch)
2015-02-06 02:40 UTC, Elio Maldonado Batiz
no flags Details | Diff
disable ssl2 and export ciphers - tests/ssl part V2 (14.66 KB, patch)
2015-02-06 16:32 UTC, Elio Maldonado Batiz
no flags Details | Diff
fix shell syntax errors in some test scripts V2 (2.92 KB, patch)
2015-02-06 16:34 UTC, Elio Maldonado Batiz
no flags Details | Diff
all changes in one big patch (23.75 KB, patch)
2015-02-06 16:44 UTC, Elio Maldonado Batiz
no flags Details | Diff
disable ssl2 and export ciphers -- ssl library part (4.25 KB, patch)
2015-02-20 17:27 UTC, Elio Maldonado Batiz
no flags Details | Diff
changes to nss.spec in patch format (1.65 KB, patch)
2015-02-20 17:30 UTC, Elio Maldonado Batiz
no flags Details | Diff
disable ssl2 and export cipher - libssl part (3.92 KB, patch)
2015-02-23 02:55 UTC, Elio Maldonado Batiz
kengert: review+
Details | Diff
disable ssl2 and export cipher - test/ssl part (14.71 KB, patch)
2015-02-23 02:57 UTC, Elio Maldonado Batiz
kengert: review+
Details | Diff
fix shell syntax errors in some tests scripts (2.92 KB, patch)
2015-02-23 02:59 UTC, Elio Maldonado Batiz
kengert: review+
Details | Diff
changes to nss.spec - in patch format (1.63 KB, patch)
2015-02-23 03:01 UTC, Elio Maldonado Batiz
kengert: review+
Details | Diff

Comment 1 Elio Maldonado Batiz 2015-02-06 00:14:35 UTC
As of RHEL-7.0 NSS has disabled SSL2 and the export cipher suites. This has been the case since the summer of 2014. In all this time no Red Hat Customers have complained. This was intended to be done for fedora as well last year and for various reasons it didn't happen. 

Upstream has wanted to disable SSl2 support for quite some time and it's quite possible that this will happen later in the year, perhaps in September with the release of nss-3.18. Exact plans are timing is currently fluid.

A good read on SSL2 flaws is https://www.schneier.com/paper-ssl.pdf
A Mozilla wiki page on SSL2-only sites, which may be dated, is 
https://wiki.mozilla.org/Necko:SSL_v2_Sites.

Comment 2 Elio Maldonado Batiz 2015-02-06 02:35:20 UTC
Created attachment 988659 [details]
disable ssl2 and export ciphers - ssl library part

Comment 3 Elio Maldonado Batiz 2015-02-06 02:36:23 UTC
Created attachment 988660 [details]
disable ssl2 and export ciphers - tests/ssl part

Comment 4 Elio Maldonado Batiz 2015-02-06 02:38:07 UTC
Created attachment 988661 [details]
fix shell syntax errors in some test scripts

Comment 5 Elio Maldonado Batiz 2015-02-06 02:40:15 UTC
Created attachment 988662 [details]
changes to nss.spec in patch format

Comment 6 Elio Maldonado Batiz 2015-02-06 16:32:58 UTC
Created attachment 988957 [details]
disable ssl2 and export ciphers - tests/ssl part V2

sync. up with the version for rhel-7

Comment 7 Elio Maldonado Batiz 2015-02-06 16:34:22 UTC
Created attachment 988961 [details]
fix shell syntax errors in some test scripts V2

sync. up with version for rhel-7

Comment 8 Elio Maldonado Batiz 2015-02-06 16:44:19 UTC
Created attachment 988964 [details]
all changes in one big patch

easy to apply, cd master; patch -p1 < bz1189952.patch, not easy to read as the individual patches are

Comment 9 Elio Maldonado Batiz 2015-02-10 03:52:36 UTC
There is something wrong with the patches and when I installed the nss-3.17.4-2.fc22 on my system Firefox could not connect. I have commented out the "export NSS_NO_SSL2=1" line in the nss.spec so SSL2 is not disable a   nss-3.17.4-3.fc22 build should be coming soon. This needs better testing and it's better that I wait until my team mates are available so they can do a proper review, what I should have done in the first place.

Comment 10 Elio Maldonado Batiz 2015-02-16 17:57:37 UTC
Oddly enough the problems with Firefox don't happen in RHEL-7.1 and the set of patches that I used for testing is the same same set. Is not a connection problem as far as I can tell as I can't even change preferences.

Comment 11 Kai Engert (:kaie) (inactive account) 2015-02-18 18:27:20 UTC
Elio said, he ran into an issue with Firefox on Fedora.

The NSS changes that disable SSL 2 caused Firefox to break completely.
No web pages could be loaded.

The Firefox error console indicated that several services couldn't be created (a sort of internal failure).

I found that Firefox calls NSS_SetDomesticPolicy(), which is NSS code that iterates over all the ciphers, and enables each of them.

However, the suggested change to NSS returns an error, as soon as an attempt is made to enable SSL 2 ciphers. This causes NSS to return a failure, which is forwarded to the application, which concludes that NSS failed to initialize.

Because NSS_SetDomesticPolicy() is an NSS internal function, it should be adjusted to not fail (or not trying to enable SSL 2 ciphers at all).

However, looking at the function SSL_CipherPolicySet() which your patch changes, a different strategy might be better.

SSL_CipherPolicySet() has code which says:
  If the cipher is one that has been removed, then don't enable it,
  and return success.

Youl could do the same for the SSL 2 ciphers.

However, an even better idea comes to mind:

Please consider to change the existing function ssl_IsRemovedCipherSuite()
to include the SSL 2 ciphers you are disabling.

Then you wouldn't need to change function SSL_CipherPolicySet() at all.

Comment 12 Elio Maldonado Batiz 2015-02-20 17:23:32 UTC
(In reply to Kai Engert (:kaie) from comment #11)

> SSL_CipherPolicySet() has code which says:
>   If the cipher is one that has been removed, then don't enable it,
>   and return success.
> 
> You could do the same for the SSL 2 ciphers.

That's a very simple one line fix to the disableSSL2libssl.path. Let's call it Fix OptionA. Instead of
#ifdef NSS_NO_SSL2
        rv = SSL_ERROR_SSL2_DISABLED;
#else
        rv = ssl2_SetPolicy(which, policy);

#endif /* NSS_NO_SSL2 */
we would have
#ifdef NSS_NO_SSL2
        rv = SECSucess;
#else
        rv = ssl2_SetPolicy(which, policy);

#endif /* NSS_NO_SSL2 */


> However, an even better idea comes to mind:
> 
> Please consider to change the existing function ssl_IsRemovedCipherSuite()
> to include the SSL 2 ciphers you are disabling.
> 
> Then you wouldn't need to change function SSL_CipherPolicySet() at all.

That, I call it Fix Option B, is a bit more elaborate. I looked at
OpenSSL table mappings: https://testssl.sh/openssl-rfc.mappping.html
and more importantly at
IETF list: http://tools.ietf.org/html/rfc4346#appendix-A.5
and compares with sslprot.h to trim down ones that we don't use.

The changes to the patch would be
diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch
index 38d092a..2433110 100644
--- a/disableSSL2libssl.patch
+++ b/disableSSL2libssl.patch
@@ -99,25 +99,45 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
  
        case SSL_NO_STEP_DOWN:
          ss->opt.noStepDown     = on;
-@@ -1168,17 +1182,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
- 
-     if (rv != SECSuccess) {
-         return rv;
-     }
- 
-     if (ssl_IsRemovedCipherSuite(which)) {
-         rv = SECSuccess;
-     } else if (SSL_IS_SSL2_CIPHER(which)) {
+@@ -1131,16 +1145,41 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+ /* function tells us if the cipher suite is one that we no longer support. */
+ static PRBool
+ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ {
+     switch (suite) {
+     case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+     case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+     case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
 +#ifdef NSS_NO_SSL2
-+        rv = SSL_ERROR_SSL2_DISABLED;
-+#else
-         rv = ssl2_SetPolicy(which, policy);
-+#endif /* NSS_NO_SSL2 */
-     } else {
-         rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
++    /* SSL2 and export cipher suites disabled */
++    case SSL_LIBRARY_VERSION_2:
++    case SSL_EN_RC4_128_WITH_MD5:
++    case SSL_EN_RC4_128_EXPORT40_WITH_MD5:
++    case SSL_EN_RC2_128_CBC_WITH_MD5:
++    case SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5:
++    case SSL_EN_DES_64_CBC_WITH_MD5:
++    case SSL_EN_DES_192_EDE3_CBC_WITH_MD5:
++    case TLS_NULL_WITH_NULL_NULL:
++    case TLS_RSA_EXPORT_WITH_RC4_40_MD5:
++    case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
++    case TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:
++    case TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
++    case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
++    case TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
++    case TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
++    case TLS_DH_anon_EXPORT_WITH_RC4_40_MD5:
++    case TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
++    case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA:
++    case TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA:
++    case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA:
++    case TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA:
++    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
++#endif
+         return PR_TRUE;
+     default:
+         return PR_FALSE;
      }
-     return rv;
  }
  ....
My concert is that I'm not sure I am getting the list correctly. I'll attach the patch for Option B for your review.

Comment 13 Elio Maldonado Batiz 2015-02-20 17:27:10 UTC
Created attachment 994012 [details]
disable ssl2 and export ciphers -- ssl library part

Comment 14 Elio Maldonado Batiz 2015-02-20 17:30:44 UTC
Created attachment 994013 [details]
changes to nss.spec in patch format

Comment 15 Kai Engert (:kaie) (inactive account) 2015-02-20 23:06:18 UTC
(In reply to Elio Maldonado Batiz from comment #12)
> My concert is that I'm not sure I am getting the list correctly. I'll attach
> the patch for Option B for your review.

I guess the previous patch (attachment 988659 [details]) was incomplete, because you had only prevented SSL2 ciphers, but not export ciphers yet. So the new patch seems better.

In addition to SSL_IS_SSL2_CIPHER() that you were using, I found function SSL_IsExportCipherSuite. I understand you want to disable the union of both sets.

If you don't want to hardcode the full list, and avoid the risk that you potentially miss something, how about adding the following at the beginning of ssl_IsRemovedCipherSuite?

if (SSL_IS_SSL2_CIPHER(suite))
  return PR_TRUE;
if (SSL_IsExportCipherSuite(suite))
  return PR_TRUE;

(instead of adding ciphers to the switch)

Comment 16 Kai Engert (:kaie) (inactive account) 2015-02-20 23:19:11 UTC
Also, if it's your intention that your new #define controls more than just SSL2, then I wouldn't call it SSL2, but something that mentions both ssl2 and the export ciphers. Maybe NSS_NO_SSL2_NO_EXPORT

It seems that export ciphers are controlled by the SSL_NO_STEP_DOWN socket option.

In sslsock.c in array ssl_defaults, should the value of noStepDown be set to PR_TRUE?

Similar to your code that fails if someone attempts to set the socket option to enable SSL2, should you do the same if someone attempts to enable stepDown, by setting SSL_NO_STEP_DOWN to false?

Comment 17 Elio Maldonado Batiz 2015-02-23 02:55:40 UTC
Created attachment 994300 [details]
disable ssl2 and export cipher - libssl part

Incorporates Kai's suggestions on Comment 15 and Comment 16.

Comment 18 Elio Maldonado Batiz 2015-02-23 02:57:53 UTC
Created attachment 994301 [details]
disable ssl2 and export cipher - test/ssl part

Comment 19 Elio Maldonado Batiz 2015-02-23 02:59:37 UTC
Created attachment 994302 [details]
fix shell syntax errors in some tests scripts

Comment 20 Elio Maldonado Batiz 2015-02-23 03:01:37 UTC
Created attachment 994303 [details]
changes to nss.spec - in patch format

Comment 21 Elio Maldonado Batiz 2015-02-25 19:50:23 UTC
Comment on attachment 994303 [details]
changes to nss.spec - in patch format

I should state that I'm not sure that the change from
if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
to
if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
is actually necessary.

Comment 22 Hubert Kario 2015-02-26 11:03:31 UTC
(In reply to Elio Maldonado Batiz from comment #21)
> Comment on attachment 994303 [details]
> changes to nss.spec - in patch format
> 
> I should state that I'm not sure that the change from
> if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
> to
> if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
> is actually necessary.

the second will work correctly in bash if the variable is unset:
# unset NSS_BUILD_SOFTOKEN_ONLY
# if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then echo yes; else echo no; fi
-bash: [: =: unary operator expected
no
# if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then echo yes; else echo no; fi
no

Comment 23 Jaroslav Reznik 2015-03-03 17:07:38 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 24 Kai Engert (:kaie) (inactive account) 2015-03-03 21:34:03 UTC
Comment on attachment 994301 [details]
disable ssl2 and export cipher - test/ssl part

>+  SSLCOV=[ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] \
>+    && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \
>+    || ${QADIR}/ssl/sslcov.txt
>   SSLAUTH=${QADIR}/ssl/sslauth.txt
>+  SSLSTRESS=[ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] \
>+    && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \
>+    || ${QADIR}/ssl/sslstress.txt

Maybe it's just me, but I think this is difficult to read.
It's up to you, but I'd prefer a simpler approach:

if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
  SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
  SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
else
  SSLCOV=${QADIR}/ssl/sslcov.txt
  SSLSTRESS=${QADIR}/ssl/sslstress.txt
fi


r+ with or without this change

Comment 25 Kai Engert (:kaie) (inactive account) 2015-03-03 21:37:48 UTC
Comment on attachment 994300 [details]
disable ssl2 and export cipher - libssl part

>+ifdef NSS_NO_SSL2_NO_EXPORT
>+DEFINES += -DNSS_NO_SSL2
>+endif

Is the define correct, or do you want the following?

DEFINES += -DNSS_NO_SSL2_NO_EXPORT

Rest looks good, r+ with this kept or fixed, as required.

Comment 26 Elio Maldonado Batiz 2015-03-03 21:49:32 UTC
(In reply to Kai Engert (:kaie) from comment #24)
> Comment on attachment 994301 [details]
I agree, your version is easier to to read.

Comment 27 Elio Maldonado Batiz 2015-03-03 21:52:06 UTC
(In reply to Kai Engert (:kaie) from comment #25)
>+ifdef NSS_NO_SSL2_NO_EXPORT
>+DEFINES += -DNSS_NO_SSL2
>+endif

Oops, I forgot to change that one.

> Is the define correct, or do you want the following?
> 
> DEFINES += -DNSS_NO_SSL2_NO_EXPORT
> 
Yes, that the one we want.

Comment 28 Fedora Update System 2015-03-04 00:21:23 UTC
nss-3.17.4-5.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/nss-3.17.4-5.fc22

Comment 29 Fedora Update System 2015-03-04 21:09:26 UTC
Package nss-3.17.4-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-3.17.4-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3142/nss-3.17.4-5.fc22
then log in and leave karma (feedback).

Comment 30 Fedora Update System 2015-03-09 08:31:25 UTC
nss-3.17.4-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.