Re: Order of protocols in MinProtocol
On Sun, Jul 12, 2020 at 12:29:43AM -0400, Viktor Dukhovni wrote: > > The main outstanding issue for which I'm authoring a new PR, is that > each of the above results in SSL_CONF_cmd() returning an error for > contexts of the other type or for contexts that are for a specific fixed > version of TLS or DTLS, and perhaps these errors are not ignored and > cause issues with context initialisation? The update I'm writing will > be more forgiving and silently report success when the setting is not > applicable. Looking at openconnect's code, it now supports 3 ways: - DTLSv1_client_method() with DTLS1_BAD_VER. - DTLS_client_method() with DTLS1_2_VERSION - A PSK The first 2 options will overwrite the protocol min and max version, so whatever is in the config file will not have any effect. Kurt
Re: Order of protocols in MinProtocol
On Wed, Jul 08, 2020 at 07:27:18PM +0200, Klaus Umbach via openssl-users wrote: > > > Should I open an issue at https://github.com/openssl/openssl/issues? > > > > Yes please. > > Done: https://github.com/openssl/openssl/issues/12394 Thanks again for opening the issue, but I have a follow up question for your original message, that is easiest to ask on the list. On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote: > when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work > for > the client (in my specific case openconnect). - Can you be a bit more specific about the failure mode of "openconnect"? - What are the error messages? - Can you get verbose error information? The reason I ask, is that much to my surprise, in trying to write a patch to resolve this issue, I discovered that I had already written essentially the requisite code back in 2015, but had long ago forgotten the details! Documentation improvements aside, the above 2015 code in OpenSSL already applies TLS version bounds only to TLS-based contexts, and DTLS bounds only to DTLS-based contexts. Thus you can already write: MinProtocol TLSv1.2 MinProtocol DTLSv1.2 repeating the option with appropriate settings for each of TLS and DTLS and pretty each applies to the appropriate type of SSL_CTX. The main outstanding issue for which I'm authoring a new PR, is that each of the above results in SSL_CONF_cmd() returning an error for contexts of the other type or for contexts that are for a specific fixed version of TLS or DTLS, and perhaps these errors are not ignored and cause issues with context initialisation? The update I'm writing will be more forgiving and silently report success when the setting is not applicable. That aside, clearly the documentation also needs an update. But I would like to confirm that I'm not missing some crucial detail, and therefore it would be very helpful to get a more detailed breakdown of the errors you observed, assuming that the application isn't so user-friendly as to hide all those geeky error details... :-( -- VIktor.
Re: Order of protocols in MinProtocol
On 08.07.20 17:57, Matt Caswell wrote: > > > On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote: > > On 08.07.20 12:21, Viktor Dukhovni wrote: > >> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote: > >> > >>> On 08/07/2020 16:28, Viktor Dukhovni wrote: > > How could I set the a System default "MinProtocol" for DTLS and TLS to > > 1.2? > > AFAIK, that's not presently possible. You can specify application > profiles, for applications that specify an application name when > initializing OpenSSL. Or use the OPENSSL_CONF environment variable to > select an alternative configuration file for DTLS applications. > >>> > >>> Arguably, that is a bug. You *should* be able to do that - perhaps based > >>> on some sensible mapping between TLS protocol versions based on whether > >>> we have a DTLS or TLS based SSL_METHOD. > > > > Should I open an issue at https://github.com/openssl/openssl/issues? > > Yes please. Done: https://github.com/openssl/openssl/issues/12394 > > > > But for my personal problem right now (openconnect uses TLS and DTLS, so > > even if it would set an application name I couldn't set a "proper" > > setting), until this bug is fixed, I use this now: > > > ># MinProtocol = TLSv1.2 > >Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2 > > Looks sane - although do you also mean to disable DTLSv1? Perhaps for > safety you should also disable SSLv3 (although support for it is not > built by default anyway). Ah, thanks, I missed DTLSv1. (SSLv3 is not enabled in my build, but for safety-reasons, you are right) Thank you! - Klaus
Re: Order of protocols in MinProtocol
On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote: > On 08.07.20 12:21, Viktor Dukhovni wrote: >> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote: >> >>> On 08/07/2020 16:28, Viktor Dukhovni wrote: > How could I set the a System default "MinProtocol" for DTLS and TLS to > 1.2? AFAIK, that's not presently possible. You can specify application profiles, for applications that specify an application name when initializing OpenSSL. Or use the OPENSSL_CONF environment variable to select an alternative configuration file for DTLS applications. >>> >>> Arguably, that is a bug. You *should* be able to do that - perhaps based >>> on some sensible mapping between TLS protocol versions based on whether >>> we have a DTLS or TLS based SSL_METHOD. > > Should I open an issue at https://github.com/openssl/openssl/issues? Yes please. > But for my personal problem right now (openconnect uses TLS and DTLS, so > even if it would set an application name I couldn't set a "proper" > setting), until this bug is fixed, I use this now: > ># MinProtocol = TLSv1.2 >Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2 Looks sane - although do you also mean to disable DTLSv1? Perhaps for safety you should also disable SSLv3 (although support for it is not built by default anyway). Matt
Re: Order of protocols in MinProtocol
On 08.07.20 12:21, Viktor Dukhovni wrote: > On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote: > > > On 08/07/2020 16:28, Viktor Dukhovni wrote: > > >> How could I set the a System default "MinProtocol" for DTLS and TLS to > > >> 1.2? > > > > > > AFAIK, that's not presently possible. You can specify application > > > profiles, for applications that specify an application name when > > > initializing OpenSSL. Or use the OPENSSL_CONF environment variable to > > > select an alternative configuration file for DTLS applications. > > > > Arguably, that is a bug. You *should* be able to do that - perhaps based > > on some sensible mapping between TLS protocol versions based on whether > > we have a DTLS or TLS based SSL_METHOD. Should I open an issue at https://github.com/openssl/openssl/issues? > > I agree that the situation with MinProtocol in openssl.cnf is > unfortunate. But instead of mappings, I would propose a different > solution: > > * Restrict MinProtocol/MaxProtocol to just TLS protocols, > i.e. SSL_CTX objects with a TLS-based method. > > * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol, > that are similarly restricted to SSL_CTX objects with a DTLS-based > method. > > * Since SSL_CTX_new() takes a required method argument, we are in > never in doubt as to which pair of controls to apply to a given > context. > > Thoughts? To me this sounds sane. But for my personal problem right now (openconnect uses TLS and DTLS, so even if it would set an application name I couldn't set a "proper" setting), until this bug is fixed, I use this now: # MinProtocol = TLSv1.2 Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2 (with a big comment for future-me, why I did something, that i shouldn't) To my understanding, this will do exaclty what I want, up to that point in time, when there are newer versions of DTLS and/or TLS supported and I want to use them. (SSL3 is not supported in my build) Am I right? - Klaus
Re: Order of protocols in MinProtocol
On Wed, Jul 08, 2020 at 05:40:38PM +0100, Matt Caswell wrote: > > I agree that the situation with MinProtocol in openssl.cnf is > > unfortunate. But instead of mappings, I would propose a different > > solution: > > > > * Restrict MinProtocol/MaxProtocol to just TLS protocols, > > i.e. SSL_CTX objects with a TLS-based method. > > > > * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol, > > that are similarly restricted to SSL_CTX objects with a DTLS-based > > method. > > > > * Since SSL_CTX_new() takes a required method argument, we are in > > never in doubt as to which pair of controls to apply to a given > > context. > > > > Thoughts? > > Yes - that could work. Although it begs the question - would it change > the way SSL_CTX_set_min_proto_version() works? (I assume that currently > works just fine as is) No changes in SSL_CTX_set_(min|max)_proto_version() required. The API remains the same, and a user calling it on a context with a DTLS-based method, would (as before) pass the appropriate *DTLS* versions. The only change would be in the .cnf file, where "MinProtocol" and "MaxProtocol" would now apply only in TLS-based contexts, and new DTLSMinProtocol and DTLSMaxProtocol only in DTLS-based contexts. > Another question that throws up is how much of that solution would we > backport to 1.1.1 since DTLS(Min|Max)Protocol would be a new feature. I'd be inclined to backport. > Should we backport it anyway with the justification that it is a "fix"? > Or do we just backport the bit that means it doesn't get applied to DTLS? I see it as a bugfix. Yes, at least not misapply TLS limits to DTLS, but at that point not adding the corresponding DTLS controls feels too cautious to me. -- Viktor.
Re: Order of protocols in MinProtocol
On 08/07/2020 17:21, Viktor Dukhovni wrote: > On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote: > >> On 08/07/2020 16:28, Viktor Dukhovni wrote: How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2? >>> >>> AFAIK, that's not presently possible. You can specify application >>> profiles, for applications that specify an application name when >>> initializing OpenSSL. Or use the OPENSSL_CONF environment variable to >>> select an alternative configuration file for DTLS applications. >> >> Arguably, that is a bug. You *should* be able to do that - perhaps based >> on some sensible mapping between TLS protocol versions based on whether >> we have a DTLS or TLS based SSL_METHOD. > > I agree that the situation with MinProtocol in openssl.cnf is > unfortunate. But instead of mappings, I would propose a different > solution: > > * Restrict MinProtocol/MaxProtocol to just TLS protocols, > i.e. SSL_CTX objects with a TLS-based method. > > * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol, > that are similarly restricted to SSL_CTX objects with a DTLS-based > method. > > * Since SSL_CTX_new() takes a required method argument, we are in > never in doubt as to which pair of controls to apply to a given > context. > > Thoughts? Yes - that could work. Although it begs the question - would it change the way SSL_CTX_set_min_proto_version() works? (I assume that currently works just fine as is) Another question that throws up is how much of that solution would we backport to 1.1.1 since DTLS(Min|Max)Protocol would be a new feature. Should we backport it anyway with the justification that it is a "fix"? Or do we just backport the bit that means it doesn't get applied to DTLS? Matt
Re: Order of protocols in MinProtocol
On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote: > On 08/07/2020 16:28, Viktor Dukhovni wrote: > >> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2? > > > > AFAIK, that's not presently possible. You can specify application > > profiles, for applications that specify an application name when > > initializing OpenSSL. Or use the OPENSSL_CONF environment variable to > > select an alternative configuration file for DTLS applications. > > Arguably, that is a bug. You *should* be able to do that - perhaps based > on some sensible mapping between TLS protocol versions based on whether > we have a DTLS or TLS based SSL_METHOD. I agree that the situation with MinProtocol in openssl.cnf is unfortunate. But instead of mappings, I would propose a different solution: * Restrict MinProtocol/MaxProtocol to just TLS protocols, i.e. SSL_CTX objects with a TLS-based method. * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol, that are similarly restricted to SSL_CTX objects with a DTLS-based method. * Since SSL_CTX_new() takes a required method argument, we are in never in doubt as to which pair of controls to apply to a given context. Thoughts? -- Viktor.
Re: Order of protocols in MinProtocol
On 08/07/2020 16:28, Viktor Dukhovni wrote: >> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2? > > AFAIK, that's not presently possible. You can specify application > profiles, for applications that specify an application name when > initializing OpenSSL. Or use the OPENSSL_CONF environment variable to > select an alternative configuration file for DTLS applications. > Arguably, that is a bug. You *should* be able to do that - perhaps based on some sensible mapping between TLS protocol versions based on whether we have a DTLS or TLS based SSL_METHOD. Matt
Re: Order of protocols in MinProtocol
On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote: > when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work > for > the client (in my specific case openconnect). Unfortunately, I think that's expected. The actual bounds are numeric, and TLS protocols start at 0x0301 (TLS 1.0) and go up to 0x304 (TLS 1.3): # define TLS1_VERSION0x0301 # define TLS1_1_VERSION 0x0302 # define TLS1_2_VERSION 0x0303 # define TLS1_3_VERSION 0x0304 # define TLS_MAX_VERSION TLS1_3_VERSION [ It is also possible to set the floor at SSL3_VERSION == 0x0300, if that's still enabled in your build. ] while DTLS protocols start at 0xFEFF (DTLS 1.0) and count down: # define DTLS1_VERSION 0xFEFF # define DTLS1_2_VERSION 0xFEFD # define DTLS_MIN_VERSIONDTLS1_VERSION # define DTLS_MAX_VERSIONDTLS1_2_VERSION So when on a particular SSL_CTX you set MinProtocol and/or MaxProtocol, that setting really only makes sense for TLS or for DTLS, but never both, and you need a separate SSL_CTX for DTLS if you intend to specify the protocol ranges. > How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2? AFAIK, that's not presently possible. You can specify application profiles, for applications that specify an application name when initializing OpenSSL. Or use the OPENSSL_CONF environment variable to select an alternative configuration file for DTLS applications. -- Viktor.
