[TLS] The risk of misconfiguration
Watson Ladd <watsonbladd@gmail.com> Tue, 06 May 2014 18:48 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAD271A0234 for <tls@ietfa.amsl.com>; Tue, 6 May 2014 11:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-hmpth1wbbs for <tls@ietfa.amsl.com>; Tue, 6 May 2014 11:48:30 -0700 (PDT)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 989701A01BB for <tls@ietf.org>; Tue, 6 May 2014 11:48:30 -0700 (PDT)
Received: by mail-yh0-f49.google.com with SMTP id c41so1053497yho.22 for <tls@ietf.org>; Tue, 06 May 2014 11:48:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=/LqpE6bYVZ/i03Ub/dZtPSupKgwFpE+qVZYvb2MG8ug=; b=hm8fzeOhhTG5wD8tsWaQZTo2kuDjFKvI1rBpCZr/FIsUdKBartT+ZQ7jF806WPS4N9 5s1XXpLw/YGcIOPvSkXG1wL5hJANZlRrjrOikSR1Om7P3GNBj9zKtm8cn4YxAGLUPA7G Xq8uZyDbdDAQGoTGk/uLwJj8EOwxI4+XjN1cBBGV6v6o4C0GBV0vwjm4umX8NZbYB0rV Fw5fROilEzTRjlmM0FGfHUP8WcbAD0lL+rdmUH0fphZBgeb4kLzGhMD9vgefox3MMB2F VlRx77qeRtDlU8dFPSYVj7ZP6wS3DpTfJnT/DLFe8VQIHslZyWX9f37CFbm47aYZNSIL Vzcw==
MIME-Version: 1.0
X-Received: by 10.236.137.8 with SMTP id x8mr59487795yhi.4.1399402106697; Tue, 06 May 2014 11:48:26 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 6 May 2014 11:48:26 -0700 (PDT)
Date: Tue, 06 May 2014 11:48:26 -0700
Message-ID: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Rzn1wQdlva-2Rv63v-c8s6fAdak
Subject: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 18:48:32 -0000
Dear all, Do you know what your TLS configurations mean? If you use OpenSSL, probably not: apparently "HIGH" enables ADH ciphersuites. It does so before permitting AES128 with an authenticated ECDHE exchange. Sorting by strength puts DES ahead of AES128: I've got no idea how that happened. (Yes, DES: 3DES is indicated differently. Maybe it is really 3DES, but even so...). I haven't found the email yet, but someone indicated they saw this in the wild on the list, actually leading to ADH happening due to an interaction between this and another borked configuration. I've sort of singled out OpenSSL here. PolarSSL uses compile-time configuration, which in some circumstances doesn't work, but it at least provides a somewhat sensible configuration depending on how you build it.I've not looked at GnuTLS yet, or cryptlib. Actually configuring OpenSSL to do something reasonable requires writing something like EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5. Good luck coming up with that when you are overly busy, don't realize that asking for high security doesn't actually do what you want, and don't know anything about crypto. Part of the issue is that we've enabled dangerous options like NULL ciphers and anonymous DH, which very, very few people should ever use. The other part of the issue is software quality. But a third part of the issue is the lack of guidance, which UTA was supposedly going to address. So how do we fix this? Well, one thing we can do is ensure that the least secure options are reasonably secure, so if they are enabled it isn't a disaster. Authentication-only ciphersuites fail that test. I appreciate the performance issue, and yes, sometimes you don't need encryption. But I think the number of people who accidentally enabled ADH is an order of magnitude more than those who actually wanted it. Sincerely, Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration James Cloos
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Andrei Popov
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Ralph Holz
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Fedor Brunner
- Re: [TLS] The risk of misconfiguration Nikos Mavrogiannopoulos
- Re: [TLS] The risk of misconfiguration Warren Kumari
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Alyssa Rowan
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Salz, Rich
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Nico Williams
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Salz, Rich
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Manuel Pégourié-Gonnard
- Re: [TLS] The risk of misconfiguration Yoav Nir
- Re: [TLS] The risk of misconfiguration Salz, Rich
- Re: [TLS] The risk of misconfiguration Martin Rex
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Martin Thomson
- Re: [TLS] The risk of misconfiguration Stephen Farrell
- Re: [TLS] The risk of misconfiguration Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] The risk of misconfiguration Manuel Pégourié-Gonnard
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Russ Housley
- Re: [TLS] The risk of misconfiguration Bill Frantz
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Daniel Kahn Gillmor
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration (Muphry's … Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Stephen Farrell
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni