Re: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder

[Martin Meredith]

Attached is the patch tweaked slightly so that it applies cleanly to 2.6 
final  (as applied in Debian)

On 08/02/12 13:58, Joe Gooch wrote:
No problem.  You may want to consider using 2.6 final though.  Patch should 
still apply.
Joe

-----Original Message-----
From: fatcha...@gmx.de [mailto:fatcha...@gmx.de]
Sent: Wednesday, February 08, 2012 8:23 AM
To: pound@apsis.ch
Subject: Re: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder

Hi Joe,

I´ve just installed a new pound-system with an CentOS 6 64-bit and a
pound 2.6f with your new patch v2 an it works fine.

Thank you very much for your fast and helpful support.

Kind Regards

fatcharly

-------- Original-Nachricht --------
Datum: Thu, 2 Feb 2012 18:24:55 +0000
Von: Joe Gooch<mrwiz...@k12system.com>
An: "\'pound@apsis.ch\'"<pound@apsis.ch>
CC: \'Martin Meredith\'<m...@debian.org>
Betreff: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder
Use this one instead.

http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers_v2.pat
ch

Should start with hash 1698011920aa9c.

Changes -
Remove the SNI logging information (that never belonged as part of
this patch and caused segfaults) Redo the whitespace to use spaces
instead of tabs to be consistent with pound best practices

Joe

-----Original Message-----
From: Joe Gooch [mailto:mrwiz...@k12system.com]
Sent: Thursday, February 02, 2012 10:41 AM
To: 'pound@apsis.ch'
Subject: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder

No worries. You can PM the information to me, or really, what
Pound extracts is the CN information.  Or at least that's what
the
regex is supposed to pull.  I was hoping to see the subject line
so I could
see
if it's in a format pound should parse properly, or if it's
something else it's not expecting.

My thought is either your cert's subject line isn't being parsed
properly, which is causing a problem in fnmatch, or the value
isn't being initialized at all (but I'm not sure how that would
happen)...
Or somehow turning on the honor cipher order option causes some
other type of callback to occur with SNI.... But I can't see how
Cipher Suites would be related to SNI servername extensions.

But I certainly don't want to compromise your SSL security.

Joe

-----Original Message-----
From: fatcha...@gmx.de [mailto:fatcha...@gmx.de]
Sent: Thursday, February 02, 2012 10:29 AM
To: pound@apsis.ch
Subject: Re: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder

Hi Joe,

good news, after we applied the line "#undef
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB"  in the config.c and a new
compile,
we don´t see any segfaults. I´m afraid, but it´s not possible
for
me
to send you all of the x509-Information. But I can tell you
that
we have 2 EV-SSL´s and two "normal" SSL-Certificates. Do you
need some more information or maybe some information than won´t
show any
company
information of the SSL-Certificate ?

Kind Regards

fatcharly




-------- Original-Nachricht --------
Datum: Thu, 2 Feb 2012 14:07:12 +0000
Von: Joe Gooch<mrwiz...@k12system.com>
An: "\'pound@apsis.ch\'"<pound@apsis.ch>
Betreff: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder
Also, perhaps running it with -v, or setting LogFacility -,
(or
both) will yield a bigger picture... That'll output all the
logs on the console. (so you'll see debug and info and
everything else on the
same
screen)  In your msg below I'm not seeing the LOG_DEBUG
messages from SNI... So maybe syslog is filtering those out,
or saving
them
elsewhere...
Joe

-----Original Message-----
From: Joe Gooch
Sent: Thursday, February 02, 2012 9:00 AM
To: 'pound@apsis.ch'
Subject: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder
It still won't segfault for me. :-/

"ip" in this context means instruction pointer, not
internet
protocol.
http://stackoverflow.com/questions/2549214/interpreting-
segfault
-
messages

addr2line -e pound 08051f5c
/root/download/Pound-2.6f/config.c:808

Which, is square in the middle of the SNI checking.

At the top of your config.c (say around line 74) can you do
#undef
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB

And recompile?  That should disable SNI.  (Which IIRC you
weren't using
anyway)

And then let me know if you still see segfaults.

Further, could you provide the subject of all the
certificates you're using?  I.e. the output of:
openssl x509 -noout -in yourpemfile.pem -subject


Joe


-----Original Message-----
From: fatcha...@gmx.de [mailto:fatcha...@gmx.de]
Sent: Thursday, February 02, 2012 7:56 AM
To: pound@apsis.ch
Subject: Re: RE: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder

Hi Joe,

yes we did fix the patchfile. I did some further
investigation
on
this
and there are some news I have to share. First some
answers for your
questions:
1) Does this happen on every request for you? Or is it
sporadic?
no, its much more than just sporadic, some request get
answered and some not.
2) 32 or 64 bit?  I can whip up a i386 chroot if need be
it´s plain 32 bit
3) Looking at the packages below do you see any blatant
differences between my setup and yours
no, but I will put my list in a special mail to send it
directly
with the tar-archive of our pound-directory to you
4 4) Anything else you can think of to help me track
this
down for
you?
Yes, I could zero in the problem a bit. First a bit about
our
setup:
The pound is in dmz-A, the webserver is in dmz-B, and the
requesting Client comes a) from the internet or b) from
the
internal network.
When we start the pound everything works fine, as long as
the
requests
are coming from the internal network and the request is
send to
an
IP of the dmz-A network. So everything worked with this
setup for the internal network. But when there are
requests from
the
internet, we get segfaults. The request is received from
the firewall which does a NAT to pass the external IP of
the
website
to the internal IP of the dmz-A network. And some
requests
are
working (as I can see in the logfile of
pound) and some cause segfaults. We can only test this by
switching between the pound and our loadbalancer-
appliance
(as
this one works, we are sure the NAT is not a problem) the
productive path. So maybe there is a problem with some
IP´s which cause the segfault. The segfaults appear even
when
there
is no
SSLHonorCipherOrder enabled.
I´m not deep into this  segfault thing, but there the
word
"ip"
mentioned:
Feb  2 11:45:52 pilotpound kernel: pound[28641]: segfault
at
4
ip 08051f5c sp b7610ce0 error 4 in pound[8048000+18000]

Is there anything else I can do to support you ?

Kind Regards

fatcharly



  -------- Original-Nachricht --------
  Datum: Wed, 1 Feb 2012 21:18:04 +0000
  Von: Joe Gooch<mrwiz...@k12system.com>
  An: "\'pound@apsis.ch\'"<pound@apsis.ch>
  Betreff: RE: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder

--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und
wir
belohnen Sie mit bis zu 50,- Euro!
https://freundschaftswerbung.gmx.de

--
To unsubscribe send an email with subject unsubscribe to
pound@apsis.ch.
Please contact ro...@apsis.ch for questions.
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro!
https://freundschaftswerbung.gmx.d
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie
mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

--
To unsubscribe send an email with subject unsubscribe to
pound@apsis.ch.
Please contact ro...@apsis.ch for questions.
N�����r��zǧu�ޙ���+a���y�n�˛���m�h���u�l��!>W���(�֜��,z��+��+�笶*'s===

From: Joe Gooch <mrwiz...@k12system.com>
Author: Joe Gooch <mrwiz...@k12system.com>
Description: SSL Renegotiation Patch
 This patch adds two new config directives:
 SSLHonorCipherOrder 0|1
   When set to 1, server prefers Ciphers in the order specified.  When 0, Server advertises no preference.
 
 SSLAllowClientRenegotiation 0|1|2
   When set to 0, no client renegotiation will be honored. 
   When 1, secure renegotiation will be honored.
   When 2, insecure renegotiation will be honored.
 
 It will also disable insecure renegotiation on backend HTTPS connections.
 
 Given these options, the most secure configuration would be:
 SSLAllowClientRenegotiation 0
 SSLHonorCipherOrder 1
 Ciphers         "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
 
 Which mitigates BEAST attacks as outlined here:
 http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
 
 As well as renegotiation attacks.
 
 Test your server at https://www.ssllabs.com/ssldb/
Forwarded: http://www.apsis.ch/pound/pound_list/archive/2012/2012-02/1328105174000#1328207465000
--- a/config.c
+++ b/config.c
@@ -76,7 +76,7 @@
 static regex_t  Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
 static regex_t  Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr;
 static regex_t  Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
-static regex_t  ClientCert, AddHeader, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
+static regex_t  ClientCert, AddHeader, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
 static regex_t  Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName;
 
 static regmatch_t   matches[5];
@@ -289,9 +289,12 @@
         } else if(!regexec(&HTTPS, lin, 4, matches, 0)) {
             if((res->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL)
                 conf_err("SSL_CTX_new failed - aborted");
+            SSL_CTX_set_app_data(res->ctx, res);
             SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL);
             SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY);
             SSL_CTX_set_options(res->ctx, SSL_OP_ALL);
+            SSL_CTX_clear_options(res->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+            SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT);
             sprintf(lin, "%d-Pound-%ld", getpid(), random());
             SSL_CTX_set_session_id_context(res->ctx, (unsigned char *)lin, strlen(lin));
             SSL_CTX_set_tmp_rsa_callback(res->ctx, RSA_tmp_callback);
@@ -299,6 +302,7 @@
         } else if(!regexec(&HTTPSCert, lin, 4, matches, 0)) {
             if((res->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL)
                 conf_err("SSL_CTX_new failed - aborted");
+            SSL_CTX_set_app_data(res->ctx, res);
             lin[matches[1].rm_eo] = '\0';
             if(SSL_CTX_use_certificate_chain_file(res->ctx, lin + matches[1].rm_so) != 1)
                 conf_err("SSL_CTX_use_certificate_chain_file failed - aborted");
@@ -309,6 +313,8 @@
             SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL);
             SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY);
             SSL_CTX_set_options(res->ctx, SSL_OP_ALL);
+            SSL_CTX_clear_options(res->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+            SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT);
             sprintf(lin, "%d-Pound-%ld", getpid(), random());
             SSL_CTX_set_session_id_context(res->ctx, (unsigned char *)lin, strlen(lin));
             SSL_CTX_set_tmp_rsa_callback(res->ctx, RSA_tmp_callback);
@@ -829,11 +835,15 @@
     SERVICE     *svc;
     MATCHER     *m;
     int         has_addr, has_port, has_other;
+    long	ssl_op_enable, ssl_op_disable;
     struct hostent      *host;
     struct sockaddr_in  in;
     struct sockaddr_in6 in6;
     POUND_CTX   *pc;
 
+    ssl_op_enable = SSL_OP_ALL;
+    ssl_op_disable = SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION | SSL_OP_LEGACY_SERVER_CONNECT;
+
     if((res = (LISTENER *)malloc(sizeof(LISTENER))) == NULL)
         conf_err("ListenHTTPS config: out of memory - aborted");
     memset(res, 0, sizeof(LISTENER));
@@ -844,6 +854,7 @@
     res->err500 = "An internal server error occurred. Please try again later.";
     res->err501 = "This method may not be used.";
     res->err503 = "The service is not available. Please try again later.";
+    res->allow_client_reneg = 0;
     res->log_level = log_level;
     if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED))
         conf_err("xHTTP bad default pattern - aborted");
@@ -1029,6 +1040,23 @@
                 strcat(res->add_head, "\r\n");
                 strcat(res->add_head, lin + matches[1].rm_so);
             }
+        } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) {
+            res->allow_client_reneg = atoi(lin + matches[1].rm_so);
+            if (res->allow_client_reneg == 2) {
+                ssl_op_enable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+                ssl_op_disable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+            } else {
+                ssl_op_disable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+                ssl_op_enable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+            }
+        } else if(!regexec(&SSLHonorCipherOrder, lin, 4, matches, 0)) {
+            if (atoi(lin + matches[1].rm_so)) {
+                ssl_op_enable |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+                ssl_op_disable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
+            } else {
+                ssl_op_disable |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+                ssl_op_enable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
+            }
         } else if(!regexec(&Ciphers, lin, 4, matches, 0)) {
             has_other = 1;
             if(res->ctx == NULL)
@@ -1105,12 +1133,15 @@
                 conf_err("ListenHTTPS: can't set SNI callback");
 #endif
             for(pc = res->ctx; pc; pc = pc->next) {
+                SSL_CTX_set_app_data(pc->ctx, res);
                 SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY);
-                SSL_CTX_set_options(pc->ctx, SSL_OP_ALL);
+                SSL_CTX_set_options(pc->ctx, ssl_op_enable);
+                SSL_CTX_clear_options(pc->ctx, ssl_op_disable);
                 sprintf(lin, "%d-Pound-%ld", getpid(), random());
                 SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin, strlen(lin));
                 SSL_CTX_set_tmp_rsa_callback(pc->ctx, RSA_tmp_callback);
                 SSL_CTX_set_tmp_dh_callback(pc->ctx, DH_tmp_callback);
+                SSL_CTX_set_info_callback(pc->ctx, SSLINFO_callback);
             }
             return res;
         } else {
@@ -1305,6 +1336,8 @@
     || regcomp(&DynScale, "^[ \t]*DynScale[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
     || regcomp(&ClientCert, "^[ \t]*ClientCert[ \t]+([0-3])[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
     || regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+    || regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+    || regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
     || regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
     || regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
     || regcomp(&VerifyList, "^[ \t]*VerifyList[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
@@ -1463,6 +1496,8 @@
     regfree(&DynScale);
     regfree(&ClientCert);
     regfree(&AddHeader);
+    regfree(&SSLAllowClientRenegotiation);
+    regfree(&SSLHonorCipherOrder);
     regfree(&Ciphers);
     regfree(&CAlist);
     regfree(&VerifyList);
--- a/pound.8
+++ b/pound.8
@@ -501,6 +501,19 @@
 and
 .I SSL_CTX_set_cipher_list(3).
 .TP
+\fBSSLHonorCipherOrder\fR 0|1
+If this value is 1, the server will broadcast a preference to use \fBCiphers\fR in the
+order supplied in the \fBCiphers\fR directive.  If the value is 0, the server will treat
+the Ciphers list as the list of Ciphers it will accept, but no preference will be
+indicated.  Default value is 0.
+.TP
+\fBSSLAllowClientRenegotiation\fR 0|1|2
+If this value is 0, client initiated renegotiation will be disabled.  This will mitigate
+DoS exploits based on client renegotiation, regardless of the patch status of clients and
+servers related to "Secure renegotiation".  If the value is 1, secure renegotiation is
+supported.  If the value is 2, insecure renegotiation is supported, with unpatched
+clients.  /fBThis can lead to a DoS and a Man in the Middle attack!/fR  Default value is 0.
+.TP
 \fBCAlist\fR "CAcert_file"
 Set the list of "trusted" CA's for this server. The CAcert_file is a file containing
 a sequence of CA certificates (PEM format). The names of the defined CA certificates
--- a/pound.h
+++ b/pound.h
@@ -404,6 +404,7 @@
     int                 rewr_dest;      /* rewrite destination header */
     int                 disabled;       /* true if the listener is disabled */
     int                 log_level;      /* log level for this listener */
+    int                 allow_client_reneg; /* Allow Client SSL Renegotiation */
     SERVICE             *services;
     struct _listener    *next;
 }   LISTENER;
@@ -419,6 +420,9 @@
     struct _thr_arg *next;
 }   thr_arg;                        /* argument to processing threads: socket, origin */
 
+/* Track SSL handshare/renegotiation so we can reject client-renegotiations. */
+typedef enum { RENEG_INIT=0, RENEG_REJECT, RENEG_ALLOW, RENEG_ABORT } RENEG_STATE;
+
 /* Header types */
 #define HEADER_ILLEGAL              -1
 #define HEADER_OTHER                0
@@ -591,6 +595,11 @@
 extern DH   *DH_tmp_callback(SSL *, int, int);
 
 /*
+ * Renegotiation callback
+ */
+extern void SSLINFO_callback(const SSL *s, int where, int rc);
+
+/*
  * expiration stuff
  */
 #ifndef EXPIRE_TO
--- a/svc.c
+++ b/svc.c
@@ -1797,3 +1797,34 @@
         close(ctl);
     }
 }
+
+void
+SSLINFO_callback(const SSL *ssl, int where, int rc)
+{
+    RENEG_STATE *reneg_state;
+
+    /* Get our thr_arg where we're tracking this connection info */
+    if ((reneg_state = (RENEG_STATE *)SSL_get_app_data(ssl)) == NULL) return;
+
+    /* If we're rejecting renegotiations, move to ABORT if Client Hello is being read. */
+    if ((where & SSL_CB_ACCEPT_LOOP) && *reneg_state == RENEG_REJECT) {
+        int state = SSL_get_state(ssl);
+
+        if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) {
+           *reneg_state = RENEG_ABORT;
+           logmsg(LOG_WARNING,"rejecting client initiated renegotiation");
+        }
+    }
+    else if (where & SSL_CB_HANDSHAKE_DONE && *reneg_state == RENEG_INIT) {
+       // Reject any followup renegotiations
+       *reneg_state = RENEG_REJECT;
+    }
+
+    //if (where & SSL_CB_HANDSHAKE_START) logmsg(LOG_DEBUG, "handshake start");
+    //else if (where & SSL_CB_HANDSHAKE_DONE) logmsg(LOG_DEBUG, "handshake done");
+    //else if (where & SSL_CB_LOOP) logmsg(LOG_DEBUG, "loop");
+    //else if (where & SSL_CB_READ) logmsg(LOG_DEBUG, "read");
+    //else if (where & SSL_CB_WRITE) logmsg(LOG_DEBUG, "write");
+    //else if (where & SSL_CB_ALERT) logmsg(LOG_DEBUG, "alert");
+}
+