Re: [TLS] The risk of misconfiguration
Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 08 May 2014 16:05 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 912A71A0075 for <tls@ietfa.amsl.com>; Thu, 8 May 2014 09:05:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TsEZfQz-Cknu for <tls@ietfa.amsl.com>; Thu, 8 May 2014 09:05:45 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id A7F331A006B for <tls@ietf.org>; Thu, 8 May 2014 09:05:45 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E49EF2AAA03; Thu, 8 May 2014 16:05:39 +0000 (UTC)
Date: Thu, 08 May 2014 16:05:39 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20140508160539.GS27883@mournblade.imrryr.org>
References: <CAK3OfOggV5J6Y+2OSpbjrMDbEdkRxFTD5MX3zzyYKouNmJznUQ@mail.gmail.com> <20140508144414.2D6E71ACFB@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140508144414.2D6E71ACFB@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9siUk5cmYyx7It8Qe7sNFvhpp9g
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 16:05:51 -0000
On Thu, May 08, 2014 at 04:44:14PM +0200, Martin Rex wrote: > The problem with unsolicited DH_anon cipher suites being available to > an unsuspecting application is that it may easily allow bypassing of > the check of the server certificate depending on the API architecture > of the SSL stack and how it is used by the application. We're back to implementation issues, which should be addressed by implementations. In OpenSSL for example the "DEFAULT" cipher-suite omits anonymous cipher-suites. Non-default cipher-suites are configured by the application. The Postfix SMTP client, for example, automatically appends ":!aNULL" to the application-administrator configured cipher-suite when it wants to elicit a certificate from the remote SMTP server. The Postfix SMTP server automatically appends ":!aNULL" when it wants to solicit a client certificate from the remote SMTP client. This is not rocket science. If you want to add similar safety measures in new high-level APIs, that's fine. I still see no reason to neuter the protocol. > Configurability of cipher suites (such as HIGH) for administrators > MUST NOT allow enabling of DH_anon cipher suites, because this is > a request _by_the_administrator_, and not _by_the_application_. The OpenSSL domain-specific-language for specifying cipher-lists provides a set of elementary properties that can be use to construct cipher lists by combining atoms with "+" (AND) and combining those with ":" (OR), with special semantics for leading "-" and "!". It is somewhat unfortunate that some think of "HIGH" as a way of specifying high security, all it does is select symmetric algorithms with long keys. This is a user-interface issue. There is new code in master that provides security levels, rather than cipher-suite list building blocks. > DH_anon cipher suites should only be made available, if at all, > when the application *CODE* explicitly calls a non-standard > API call that signals to the TLS stack, that the application code > knows about the resulting semantics and can properly deal with > the resulting behaviour. Still not a reason to remove these from the protocol. > I also believe that the current behaviour of OpenSSL, to enable DH_anon > cipher suites when the cipher suite configuration string "HIGH" is > used, is extremely unsafe. I doubt you don't understand "HIGH", so you're likely alluding to the fact that many others might not. That's fine, OpenSSL ciphersuite configuration is too difficult for most users, that's an API issue and an application design issue (when applications simply pass the buck to the user). > DH_anon have two more serious drawbacks compared to ignoring an untrusted > server certificate: the client can not even "pin" the server's certificate > for future connections to the same server (i.e. only an initial leap-of-faith), > and it completely precludes the use of a client certificate to authenticate > the client to the server. Not much use if the application has no code for pinning and no mechanisms to interact with a "user" when pins fail. > My very personal opinion is that DH_anon cipher suites are pure bloat > without value. We do not even implement them in our TLS implementation. Right more "I don't use it, so out it goes". The protocol and many of its implementations are general purpose and serve many use-cases. Custom implementations that make different trade-offs are fine, but are not a valid rationale for neutering the protocol or all implementations. > But I'm OK with what rfc5246 says about them in the paragraph quoted above. > Implementors can just leave them away from their implementations, and > the consumers will be *MUCH* better of with the result. This is certainly true in application-specific products, less so in general-purpose libraries. > I do not see the value in making this availble for an extremely small > group of experts like Nico who could devise niche usage scenarios where > _they_ could operate them safely with hand-selected and manually hardened > application software, compared to the inherent danger to the large > unwashed masses (of consumers and app-software). Well, GSSAPI with channel-binding and without certs is not so exotic. Nor is opportunistic TLS in MTAs. I think it is quite clear that removing ADH and AECDH is an overzealous reaction to heartbleed. If there are concerns about interface safety in particular implementations, they need to be addressed in the right place. (Sometimes in applications rather than in libraries, in which case the library documentation may need to provide better application guidance). -- Viktor.
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration James Cloos
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Andrei Popov
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Ralph Holz
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Fedor Brunner
- Re: [TLS] The risk of misconfiguration Nikos Mavrogiannopoulos
- Re: [TLS] The risk of misconfiguration Warren Kumari
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Alyssa Rowan
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Salz, Rich
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Nico Williams
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Salz, Rich
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Manuel Pégourié-Gonnard
- Re: [TLS] The risk of misconfiguration Yoav Nir
- Re: [TLS] The risk of misconfiguration Salz, Rich
- Re: [TLS] The risk of misconfiguration Martin Rex
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Martin Thomson
- Re: [TLS] The risk of misconfiguration Stephen Farrell
- Re: [TLS] The risk of misconfiguration Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] The risk of misconfiguration Manuel Pégourié-Gonnard
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Russ Housley
- Re: [TLS] The risk of misconfiguration Bill Frantz
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Daniel Kahn Gillmor
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration (Muphry's … Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Stephen Farrell
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni