Bug 1487607 - openssl: doesn't apply all aspects of crypto policies
Summary: openssl: doesn't apply all aspects of crypto policies
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1527031 1591619
TreeView+ depends on / blocked
 
Reported: 2017-09-01 11:39 UTC by Ondřej Lysoněk
Modified: 2018-08-13 15:20 UTC (History)
6 users (show)

(edit)
Clone Of:
: 1591619 1614719 (view as bug list)
(edit)
Last Closed: 2018-08-13 15:20:16 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Github openssl openssl issues 4962 None None None 2018-01-02 09:25 UTC
Github openssl openssl pull 4848 None None None 2017-12-19 11:46 UTC

Description Ondřej Lysoněk 2017-09-01 11:39:00 UTC
Description of problem:
In the description of the FUTURE profile in the crypto policy system wide change (https://fedoraproject.org/wiki/Changes/CryptoPolicy), as well as in the FUTURE.pl source file (https://gitlab.com/nmav/fedora-crypto-policies/blob/master/back-ends/profiles/FUTURE.pl#L15), it says that only protocols TLS1.2+ are allowed. However it seems that is not true for OpenSSL. TLS1.1 works just fine with FUTURE applied.

Version-Release number of selected component (if applicable):
crypto-policies-20160921-4.gitf3018dd.fc25.noarch

Steps to Reproduce:
1. On server run:
# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
# echo FUTURE > /etc/crypto-policies/config
# update-crypto-policies
# openssl s_server -key key.pem -cert cert.pem  -accept 8000 -cipher 'PROFILE=SYSTEM'
2. On client run:
# openssl s_client  -connect server:8000 -tls1_1

Actual results:
The client connects.

Expected results:
The client should not connect.

Comment 1 Nikos Mavrogiannopoulos 2017-09-06 08:34:46 UTC
This is unfortunately a known issue that we are trying to address. Currently the openssl library doesn't provide any knobs for us to use to disable the protocol for multiple applications.

Comment 2 Ondřej Lysoněk 2017-09-06 09:43:25 UTC
I thought so. Could you document it as a known issue until it's fixed? I didn't see any note about it anywhere.

Comment 3 Nikos Mavrogiannopoulos 2017-12-19 12:00:18 UTC
re-titled for clarity. In short what we need from openssl to provide the strong system-wide defaults are:
 * Be able to configure protocol version system-wide
 * Be able to configure limits on RSA/FFDHE algorithms
 * Be able to configure allowed curves for key exchange

Comment 4 Petr Pisar 2018-01-08 16:38:22 UTC
It seems openssl tool even does not honor DEFAULT cipher list by default (openssl-1.1.0g-2.fc28.x86_64). As expected, this fails to connect because DEFAULT does not contain DES-CBC3-SHA required by the server:

$ openssl s_client -connect www.halstead.com:443 -cipher DEFAULT

But this surprisingly connects:

$ openssl s_client -connect www.halstead.com:443

In my opinion these two commands should behave identically.

Comment 5 Tomas Mraz 2018-01-08 17:07:38 UTC
No, if you explicitly specify DEFAULT, it uses the built-in library default and does not apply crypto policies.

Comment 6 Nikos Mavrogiannopoulos 2018-01-09 07:15:34 UTC
(In reply to Tomas Mraz from comment #5)
> No, if you explicitly specify DEFAULT, it uses the built-in library default
> and does not apply crypto policies.

Right. 3DES-CBC will be removed from the crypto policies on F28
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings

Comment 7 Petr Pisar 2018-01-09 07:53:04 UTC
Ok. OpenSSL's DEFAULT and crypto-policy's DEFAULT are two different defaults. I understand.

Is DES-CBC3 and 3DES-CBC the same ciphersuite? I don't think. DES has already been excluded from crypto-policy's DEFAULT, yet:

$ openssl ciphers | tr ':' "\n" |grep '^DES-CBC3-SHA$'
DES-CBC3-SHA

and the openssl s_client without explic -cipher arguemnt succeeds. Why?

Comment 8 Nikos Mavrogiannopoulos 2018-01-09 08:02:08 UTC
(In reply to Petr Pisar from comment #7)
> Ok. OpenSSL's DEFAULT and crypto-policy's DEFAULT are two different
> defaults. I understand.
> 
> Is DES-CBC3 and 3DES-CBC the same ciphersuite? 

Yes. DES-CBC3 it's openssl's way of saying 3DES-CBC.

Comment 9 Jan Kurik 2018-02-20 15:43:30 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.


Note You need to log in before you can comment on or make changes to this bug.