On Tue, Jan 23, 2007 at 03:23:39PM -0500, Wietse Venema wrote:
> Victor Duchovni:
> > + */
> > + #ifdef SN_aes_256_cbc
> > + SN_aes_256_cbc, SSL_TXT_AES "+HIGH",
> > + #endif
> > + 0, 0,
> > + };
>
> Any objections when I also list
>
> SN_aes_128_cbc, SSL_TXT_AES "+LOW"
>
> considering that AES is a problematic case by design? It's cheaper
> to add now than after deployment.
Well, the OpenSSL library excplicitly checks this case, and concludes that
both 128 and 256 are present based on an AES 128 "probe" alone. So the
test is not currently required, and is unlikely to be required in the
future. There is a further complication:
There are today no "AES+EXPORT", "AES+LOW" or "AES+MEDIUM ciphers,
because for similar reasons the library is confused about whether
AES128 is a HIGH grade or MEDIUM grade cipher.
If the OpenSSL library is enhanced to correctly classify AES128 as a
medium cipher (which it is), and a distribution ships only AES256 and
not AES128, and the new OpenSSL tests for AES256 and also concludes that
AES128 present, we would need either:
SN_aes_128_cbc, SSL_TXT_AES "+MEDIUM",
OR
SN_aes_128_cbc, SSL_TXT_AES,
depending on the details of the new implementation. The latter form is
likely to also kill the high grade AES ciphers, which could be a problem
if 3DES is disabled, leaving no other HIGH grade ciphers in place. So
only the "+MEDIUM" version appears reasonably safe. My instinct is to
not do this until we know more about how the OpenSSL team is likely to
tackle this issue.
>
> I would also include this with Postfix 2.3.
The Postfix 2.3 patch is below:
Index: src/tls/tls_misc.c
*** src/tls/tls_misc.c 7 Jul 2006 17:50:24 -0000 1.1.1.10
--- src/tls/tls_misc.c 23 Jan 2007 20:15:43 -0000
***************
*** 104,109 ****
--- 104,110 ----
#include <mymalloc.h>
#include <vstring.h>
#include <stringops.h>
+ #include <argv.h>
/* TLS library. */
***************
*** 151,156 ****
--- 152,191 ----
0, TLS_CIPHER_NONE,
};
+ typedef struct {
+ char *algorithm;
+ char *exclusion;
+ } cipher_probe;
+
+ static cipher_probe cipher_probe_list[] = {
+ /*
+ * Check for missing AES256, OpenSSL only checks for AES128, and then
+ * enables both, because they only have one "is AES" boolean flag in
+ * the cipher property mask. The implementation cannot distinguish
+ * between AES128 and AES256. When some O/S distributions play
+ * games with libcrypto and exclude just the AES256 ciphers, they
+ * break the OpenSSL cipherlist construction code, with clients and
+ * servers potentially negotiating unimplemented ciphers.
+ *
+ * This problem is peculiar to AES, which is not a single cipher, but
+ * a family of related ciphers. The other OpenSSL symmetric ciphers
+ * are atomic, either implemented or not. We expect that future ciphers
+ * will either also be atomic, or will have one property bit per
+ * family member and will be filtered accurately by OpenSSL.
+ *
+ * If all else fails, this table can be expanded :-(
+ *
+ * XXX: the probe for AES256 is enclosed in #ifdef. OpenSSL 0.9.6
+ * and earlier don't have AES 256, this requires 0.9.7 or later. We
+ * recommend against use of 0.9.6, it has open issues solved in 0.9.7l
+ * and 0.9.8d, but we are not yet prepared to drop support for 0.9.6.
+ */
+ #ifdef SN_aes_256_cbc
+ SN_aes_256_cbc, SSL_TXT_AES "+HIGH",
+ #endif
+ 0, 0,
+ };
+
/*
* Parsed OpenSSL version number.
*/
***************
*** 168,173 ****
--- 203,211 ----
{
const char *myname = "tls_cipher_list";
static VSTRING *buf;
+ static ARGV *exclude_unavailable;
+ cipher_probe *probe;
+ int i;
va_list ap;
const char *exclude;
char *tok;
***************
*** 202,207 ****
--- 240,257 ----
if (VSTRING_LEN(buf) == 0)
msg_panic("%s: empty cipherlist", myname);
+ /*
+ * Exclude ciphers that clueless distributions leave out of libcrypto.
+ */
+ if (exclude_unavailable == 0) {
+ exclude_unavailable = argv_alloc(1);
+ for (probe = cipher_probe_list; probe->algorithm; ++probe)
+ if (!EVP_get_cipherbyname(probe->algorithm))
+ argv_add(exclude_unavailable, probe->exclusion, (char *) 0);
+ }
+ for (i = 0; i < exclude_unavailable->argc; ++i)
+ vstring_sprintf_append(buf, ":!%s", exclude_unavailable->argv[i]);
+
va_start(ap, cipher_level);
while ((exclude = va_arg(ap, char *)) != 0) {
if (*exclude == '\0')
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
