805966 – Condor uses 3DES in SSL connections and does not use handshaked cipher

Bug 805966 - Condor uses 3DES in SSL connections and does not use handshaked cipher

Summary: Condor uses 3DES in SSL connections and does not use handshaked cipher

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	condor
Sub Component:
Version:	2.1.1
Hardware:	All
OS:	All
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	grid-maint-list
QA Contact:	MRG Quality Engineering
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	834576
TreeView+	depends on / blocked

Reported:	2012-03-22 15:09 UTC by Martin Kudlej
Modified:	2016-05-26 20:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-26 20:01:58 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Martin Kudlej 2012-03-22 15:09:18 UTC

Description of problem:

If Condor is configured to use SSL authorization, client and server negotiate cipher for symmetric encryption after handshake, for example TLS_RSA_WITH_AES_256_CBC_SHA but Condor uses 3DES after SSL handshake no matter which cipher was handshaked.

Client hello - cipher list: TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_SEED_CBC_SHA, TLS_DHE_DSS_WITH_SEED_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Server hello - cipher list: TLS_RSA_WITH_AES_256_CBC_SHA

Version-Release number of selected component (if applicable):
condor-7.6.5-0.12

How reproducible:
100%

Steps to Reproduce:
1. install condor
2. set configuration below
3. use your favorite packet sniffer to analyze Condor network activity
  
Actual results:
Condor uses 3DES instead of handshaked cipher.

Expected results:
Condor will use openssl(on Linux) for SSL handshake and also for symmetric communication after handshake. Condor will not use 3DES after SSL handskahe for SSL connections. Condor will use 3DES via openssl library only if it is handshaked by client and server vie SSL handshake.

Additional info:
Configuration:
ALL_DEBUG=D_PRIV | D_NETWORK | D_SECURITY
ABORT_ON_EXCEPTION=true
#restrict ports for easier sniffing
IN_LOWPORT=40000
IN_HIGHPORT=41000
#client
OUT_LOWPORT=60000
OUT_HIGHPORT=61000
#disable authorization
ALLOW_READ=*
ALLOW_WRITE=*
ALLOW_ADMINISTRATOR=*
ALLOW_CONFIG=*
ALLOW_SOAP=*
ALLOW_OWNER=*
ALLOW_NEGOTIATOR=*
ALLOW_DAEMON=*
ALLOW_ADVERTISE_MASTER=*
ALLOW_ADVERTISE_STARTD=*
ALLOW_ADVERTISE_SCHEDD=*
ALLOW_CLIENT=*
#integrity clear
SEC_DEFAULT_INTEGRITY=NEVER
SEC_CLIENT_INTEGRITY=NEVER
SEC_READ_INTEGRITY=NEVER
SEC_WRITE_INTEGRITY=NEVER
SEC_ADMINISTRATOR_INTEGRITY=NEVER
SEC_CONFIG_INTEGRITY=NEVER
SEC_OWNER_INTEGRITY=NEVER
SEC_DAEMON_INTEGRITY=NEVER
SEC_NEGOTIATOR_INTEGRITY=NEVER
SEC_ADVERTISE_MASTER_INTEGRITY=NEVER
SEC_ADVERTISE_STARTD_INTEGRITY=NEVER
SEC_ADVERTISE_SCHEDD_INTEGRITY=NEVER
#encryption clear
SEC_DEFAULT_ENCRYPTION=NEVER
SEC_CLIENT_ENCRYPTION=NEVER
SEC_READ_ENCRYPTION=NEVER
SEC_WRITE_ENCRYPTION=NEVER
SEC_ADMINISTRATOR_ENCRYPTION=NEVER
SEC_CONFIG_ENCRYPTION=NEVER
SEC_OWNER_ENCRYPTION=NEVER
SEC_DAEMON_ENCRYPTION=NEVER
SEC_NEGOTIATOR_ENCRYPTION=NEVER
SEC_ADVERTISE_MASTER_ENCRYPTION=NEVER
SEC_ADVERTISE_STARTD_ENCRYPTION=NEVER
SEC_ADVERTISE_SCHEDD_ENCRYPTION=NEVER

SEC_DEFAULT_CRYPTO_METHODS=3DES
SEC_CLIENT_CRYPTO_METHODS=3DES
SEC_READ_CRYPTO_METHODS=3DES
SEC_WRITE_CRYPTO_METHODS=3DES
SEC_ADMINISTRATOR_CRYPTO_METHODS=3DES
SEC_CONFIG_CRYPTO_METHODS=3DES
SEC_OWNER_CRYPTO_METHODS=3DES
SEC_DAEMON_CRYPTO_METHODS=3DES
SEC_NEGOTIATOR_CRYPTO_METHODS=3DES
SEC_ADVERTISE_MASTER_CRYPTO_METHODS=3DES
SEC_ADVERTISE_STARTD_CRYPTO_METHODS=3DES
SEC_ADVERTISE_SCHEDD_CRYPTO_METHODS=3DES
#authentication
SEC_DEFAULT_AUTHENTICATION=REQUIRED
SEC_CLIENT_AUTHENTICATION=REQUIRED
SEC_READ_AUTHENTICATION=REQUIRED
SEC_WRITE_AUTHENTICATION=REQUIRED
SEC_ADMINISTRATOR_AUTHENTICATION=REQUIRED
SEC_CONFIG_AUTHENTICATION=REQUIRED
SEC_OWNER_AUTHENTICATION=REQUIRED
SEC_DAEMON_AUTHENTICATION=REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION=REQUIRED
SEC_ADVERTISE_MASTER_AUTHENTICATION=REQUIRED
SEC_ADVERTISE_STARTD_AUTHENTICATION=REQUIRED
SEC_ADVERTISE_SCHEDD_AUTHENTICATION=REQUIRED

#auth method
SEC_DEFAULT_AUTHENTICATION_METHODS=SSL
SEC_CLIENT_AUTHENTICATION_METHODS=SSL
SEC_READ_AUTHENTICATION_METHODS=SSL
SEC_WRITE_AUTHENTICATION_METHODS=SSL
SEC_ADMINISTRATOR_AUTHENTICATION_METHODS=SSL
SEC_CONFIG_AUTHENTICATION_METHODS=SSL
SEC_OWNER_AUTHENTICATION_METHODS=SSL
SEC_DAEMON_AUTHENTICATION_METHODS=SSL
SEC_NEGOTIATOR_AUTHENTICATION_METHODS=SSL
SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS=SSL
SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS=SSL
SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS=SSL

#ssl
AUTH_SSL_SERVER_CAFILE=/root/certs/ca.crt
AUTH_SSL_CLIENT_CAFILE=/root/certs/ca.crt
AUTH_SSL_SERVER_CADIR=/root/certs/
AUTH_SSL_CLIENT_CADIR=/root/certs/
AUTH_SSL_CLIENT_CERTFILE=/root/certs/client.crt
AUTH_SSL_SERVER_CERTFILE=/root/certs/server.crt
AUTH_SSL_CLIENT_KEYFILE=/root/certs/client.key
AUTH_SSL_SERVER_KEYFILE=/root/certs/server.key

Comment 1 Timothy St. Clair 2012-03-28 16:59:12 UTC

Response from upstream: 

zmiller: 
to be clear, this was the intended behavior.  SSL is used for
authentication only.  

(fyi, condor can also use blowfish.  but no ciphers other than 3DES and
 blowfish are supported at this point.  i believe this is document as such
 in the SEC_DEFAULT_ENCRYPTION_METHODS section.  also, ian alderman added
 support for some additional features which sadly never got merged to the
 master branch.  perhaps it's time to revisit that)

tannenba: 

FWIW, the reasoning/justification for this approach is described in this 
research paper:

http://research.cs.wisc.edu/condor/doc/flexible_sessions.pdf

-------------------------------------------------------
It looks like this is not a bug at all... I'm going to mark as needinfo to allow a response.

Note You need to log in before you can comment on or make changes to this bug.