Re: Question about TLS 1.3 and openssl -cipher aNULL option
On Thu, Sep 03, 2020 at 11:45:28PM +, Yury Mazin via openssl-users wrote: > Hello, > > We have a server was originaly using OpenSSL 1.0.2h. > Server is configured to use SSL ciphers as following > ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT > When openssl client tries to connect to this server with command > openssl s_client -connect localhost:8101-cipher aNULL > it fails, because any aNULL ciphers are not available per server > configuration. > We have now upgraded server to use OpenSSL 1.1.1f. > The current behavior is this: client can connect using the same command > openssl s_client -connect localhost:8101 -cipher aNULL > or > openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL > > while the same connect attempt using TLS1.2 protocol would still fail > > openssl s_client -tls1_2 -connect localhost:8001-cipher aNULL > > Would the fact that I can connect to the server using TLS 1.3 using the > following command (specifically, using -cipher aNULL, while server is > configured to exclude all aNULL cipher suites) considered a security > violation? > > openssl s_client -tls1_3 -connect localhost:8001 -cipher aNULL > > Also, if this a security violation, how this can be addressed in the server > configuration? > Lastly, if this is not a security violation, please explain. It is not a security violation, because you are using TLS 1.3 ciphers, and there are not any NULL-encryption TLS 1.3 ciphers. Configuration of TLS 1.3 ciphers and ciphers for previous versions of TLS are separate (since, at a protocol level, they serve different roles). See the documentation for s_client/s_server -ciphersuites for more information about TLS 1.3 ciphers. -Ben
Re: Question about TLS 1.3 and openssl -cipher aNULL option
On Thu, Sep 03, 2020 at 11:45:28PM +, Yury Mazin via openssl-users wrote: > We have a server was originaly using OpenSSL 1.0.2h. Server is > configured to use SSL ciphers as following: > > ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT > > When openssl client tries to connect to this server with command > > openssl s_client -connect localhost:8101 -cipher aNULL > > it fails, because any aNULL ciphers are not available per server > configuration. As expected. > We have now upgraded server to use OpenSSL 1.1.1f. The current > behavior is this: client can connect using the same command > > openssl s_client -connect localhost:8101 -cipher aNULL > or > openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL The "-cipher" command affects only the TLS <= 1.2 a la certe ciphersuites, but not the TLS 1.3 chinese menu cipher list. So the TLS 1.3 ciphers remain unaffected and these send a server certificate that the client ignores. > while the same connect attempt using TLS1.2 protocol would still fail > > openssl s_client -tls1_2 -connect localhost:8001 -cipher aNULL As expected. > Would the fact that I can connect to the server using TLS 1.3 using > the following command (specifically, using -cipher aNULL, while server > is configured to exclude all aNULL cipher suites) considered a > security violation? No. This is expected behaviour. -- Viktor.
Question about TLS 1.3 and openssl -cipher aNULL option
Hello, We have a server was originaly using OpenSSL 1.0.2h. Server is configured to use SSL ciphers as following ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT When openssl client tries to connect to this server with command openssl s_client -connect localhost:8101-cipher aNULL it fails, because any aNULL ciphers are not available per server configuration. We have now upgraded server to use OpenSSL 1.1.1f. The current behavior is this: client can connect using the same command openssl s_client -connect localhost:8101 -cipher aNULL or openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL while the same connect attempt using TLS1.2 protocol would still fail openssl s_client -tls1_2 -connect localhost:8001-cipher aNULL Would the fact that I can connect to the server using TLS 1.3 using the following command (specifically, using -cipher aNULL, while server is configured to exclude all aNULL cipher suites) considered a security violation? openssl s_client -tls1_3 -connect localhost:8001 -cipher aNULL Also, if this a security violation, how this can be addressed in the server configuration? Lastly, if this is not a security violation, please explain. Thank you, Yury Mazin
Re: Testing
On 2020-09-03 12:25, Marc Roos wrote: Why are you defending amazon? Everyone processing significant mail and http traffic is complaining about them. They were even listed in spamhaus's top 10 abuse networks (until they started contributing to them?) Because we are sending non-spam mail from an AWS hosted server, and would be seriously inconvenienced if they got generally banned by mail recipients. And we did check that they were not in bad standing at spamhaus.org before choosing them to host that server. Some of their competitors failed those checks. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
RE: Testing
Why are you defending amazon? Everyone processing significant mail and http traffic is complaining about them. They were even listed in spamhaus's top 10 abuse networks (until they started contributing to them?)
Re: Testing
On 2020-09-03 09:42, Marc Roos wrote: PTR record, SPF, DKIM and DMARC are also set by spammers, and sometimes even just before a spam run. It is either choosing to do amazons work or not having any work. If more and more are blocking the amazon cloud it would make their clients leave and this finally migth have them spend more on their abuse department. For your information, AWS apparently blocks TCP port 25 unless the customer (not someone hacking an AWS instance) explicitly requests a custom PTR record using a form where the customer promises not to Spam. Custom PTR records don't look like ec2-184-72-79-140.compute-1.amazonaws.com . I am unsure how Richard's example that obviously tricked a server to send a HTTP request to the OpenSSL mail server got past the port 25 block (this appears to be a common form of server side request forgery). -Original Message- To: openssl-users@openssl.org Subject: Re: Testing On 2020-08-31 16:28, Marc Roos wrote: Why don't you block the whole compute cloud of amazon? ec2-3-21-30-127.us-east-2.compute.amazonaws.com Please note, that at least our company hosts a secondary MX in the EC2 cloud, with the option to direct my posts to the list through that server. However proper PTR record, SPF, DKIM and DMARC checks should all pass for such posts. Thus rather than blindly blacklisting the Amazon hosting service, maybe make the OpenSSL mail server check those things to catch erroneous transmissions from web servers. -Original Message- To: openssl-users@openssl.org Subject: Testing -- -BEGIN EMAIL SIGNATURE- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave .html ** ** Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -END EMAIL SIGNATURE- Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
Re: Testing
For a rogue test message? However, a quick search through the mail log shows that indeed, there are messages coming from random Amazon AWS hosts that are... "interesting" I smirk a bit when I see this in our mail logs: Sep 2 10:36:06 mta postfix/smtpd[1091]: warning: non-SMTP command from ec2-184-72-79-140.compute-1.amazonaws.com[184.72.79.140]: GET / HTTP/1.1 As for blocking, we rely quite a bit on available spam-hauses, such as zen.spamhaus.org, and they do catch the occasional individual Amazon AWS machine (seen in our logs), so it seems that they do get reports on misbehaving machinery. Apart from hightened emotions (I understand them, believe you me), are there tangible reasons for applying the kind of arbitrary sledge-hammer that you propose? I would rather not, unless I really must. Cheers, Richard On Mon, 31 Aug 2020 16:28:53 +0200, Marc Roos wrote: > > > Why don't you block the whole compute cloud of amazon? > ec2-3-21-30-127.us-east-2.compute.amazonaws.com > > > -Original Message- > > To: openssl-users@openssl.org > Subject: Testing > > > > -- > -BEGIN EMAIL SIGNATURE- > > The Gospel for all Targeted Individuals (TIs): > > [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. > Embassy Workers > > Link: > https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html > > > > > Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic > Qualifications as at 14 Feb 2019 and refugee seeking attempts at the > United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug > 2019) and Australia (25 Dec 2019 to 9 Jan 2020): > > [1] https://tdtemcerts.wordpress.com/ > > [2] https://tdtemcerts.blogspot.sg/ > > [3] https://www.scribd.com/user/270125049/Teo-En-Ming > > -END EMAIL SIGNATURE- > > -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
RE: Testing
PTR record, SPF, DKIM and DMARC are also set by spammers, and sometimes even just before a spam run. It is either choosing to do amazons work or not having any work. If more and more are blocking the amazon cloud it would make their clients leave and this finally migth have them spend more on their abuse department. -Original Message- To: openssl-users@openssl.org Subject: Re: Testing On 2020-08-31 16:28, Marc Roos wrote: > Why don't you block the whole compute cloud of amazon? > ec2-3-21-30-127.us-east-2.compute.amazonaws.com Please note, that at least our company hosts a secondary MX in the EC2 cloud, with the option to direct my posts to the list through that server. However proper PTR record, SPF, DKIM and DMARC checks should all pass for such posts. Thus rather than blindly blacklisting the Amazon hosting service, maybe make the OpenSSL mail server check those things to catch erroneous transmissions from web servers. > > -Original Message- > > To: openssl-users@openssl.org > Subject: Testing > > > > -- > -BEGIN EMAIL SIGNATURE- > > The Gospel for all Targeted Individuals (TIs): > > [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. > Embassy Workers > > Link: > https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave > .html > > ** > ** > > > Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic > Qualifications as at 14 Feb 2019 and refugee seeking attempts at the > United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug > 2019) and Australia (25 Dec 2019 to 9 Jan 2020): > > [1] https://tdtemcerts.wordpress.com/ > > [2] https://tdtemcerts.blogspot.sg/ > > [3] https://www.scribd.com/user/270125049/Teo-En-Ming > > -END EMAIL SIGNATURE- > > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded