IETF Logo Mail Archive

Re: [TLS] The risk of misconfiguration

Watson Ladd <watsonbladd@gmail.com> Wed, 07 May 2014 01:08 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90DCD1A045F for <tls@ietfa.amsl.com>; Tue, 6 May 2014 18:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZrgAXPc2MRVL for <tls@ietfa.amsl.com>; Tue, 6 May 2014 18:08:57 -0700 (PDT)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id E46781A03F8 for <tls@ietf.org>; Tue, 6 May 2014 18:08:56 -0700 (PDT)
Received: by mail-yh0-f54.google.com with SMTP id i57so272947yha.13 for <tls@ietf.org>; Tue, 06 May 2014 18:08:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=jCt8/K0JFeKHpXOsrmJLWYprLTNIl79pPfu3SKmhv4I=; b=eBg0DwomjGx0wdBT9jvkjr40sq42/Kf3YIM2oMf0aFxp0WKu1EMeLpAvpCe3zSwC+V yTX9pNX3V3bbo5ZSsWM4OAwf7uz4LcB+8EzhsgyaiBNPFuy2c+yPGmMyHZfLYrbtp4Ky DbWqLhM1QagzMUxX9FONNRdkHz6foRFa0pjPA6fSP0ltgF5ATfUUZ6UAJ3itq8u4rQEx fhLxHOfA+xpjvx0JzI5MhGqaVUZpshYnhJ34PI/viJTRQIb4WmJiR7l0CqB0M9yvkELd lixHGOU/amFVWWPjRMzfgmuh2bMkC7vLpR0/tawzYXgVaqEKWF0bGiumEf49uyhChSrI J81g==
MIME-Version: 1.0
X-Received: by 10.236.137.8 with SMTP id x8mr61821389yhi.4.1399424932898; Tue, 06 May 2014 18:08:52 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 6 May 2014 18:08:52 -0700 (PDT)
In-Reply-To: <20140507002452.GH27883@mournblade.imrryr.org>
References: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com> <53692FC2.1060009@akr.io> <20140506221344.GB27883@mournblade.imrryr.org> <536977E3.3000608@akr.io> <20140507002452.GH27883@mournblade.imrryr.org>
Date: Tue, 06 May 2014 18:08:52 -0700
Message-ID: <CACsn0ck5UtC9T1ktgAiWimWAxBPNoANfOEB8MOF9CfQLCMgSHw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/xul6CP7xo_yR6yEYGrH80GLi5dg
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 01:08:59 -0000

On Tue, May 6, 2014 at 5:24 PM, Viktor Dukhovni
<viktor1dane@dukhovni.org> wrote:
> On Wed, May 07, 2014 at 01:01:39AM +0100, Alyssa Rowan wrote:
>
>> > The OpenSSL cipherlist is
>>
>> ...um. The word I'd use would be: hairy.
>>
>> In practice, unfortunately way too hairy for the average developer;
>> whence passing the buck to the average end-user; whence the average
>> end-user taking the cipherlist as copypasta from the first Google
>> result they found that actually worked.
>>
>> We've all seen the end results.
>
> We must not confuse implementation user-interface issues with
> protocol issues.  The protocol supports many different use-cases.
> Interfaces for cipher selection in implementations are not protocol
> issues.  The OpenSSL cipherlist interface is beginning to get some
> attention.  That issue belongs on openssl-dev@openssl.org, not
> tls@ietf.org.

Agreed, but it's an example of the hazard that insecure modes present.
OpenSSL is not an outlier: with 100+ possible ciphersuites, with
strange omissions and inclusions, and completely lacking information
about which curve to use, designing a good configuration system to
pick TLS ciphersuites is hard. PolarSSL takes the exact opposite tack,
forcing users to subset a single preference order. It is entirely
possible that legitimately desired ciphersuites cannot be chosen in
PolarSSL: I know they cannot be reordered.

No matter how the choice is presented to end-users or application
developers, so long as it is possible to misconfigure TLS, it will be
misconfigured. You can blame the end user or the programmer or the
library writer all you want, but unless a library is willing to forgo
supporting null ciphers, they will be used inadvertently. Why include
something that should virtually never be used, when using it has bad
consequences?

We've recognized the need for guidance on how to use TLS, hence
formation of UTA. We're punting on implementation, although I recently
got an email about the C standards body wanting to standardize APIs
for networks, which, if they included TLS with a sane API would be
wonderful. But the complexity that OpenSSL reveals is real: there is
no way to support all possible combinations of ciphersuites without
something this nasty to pick between them.

Sincerely,
Watson Ladd



> --
>         Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email