[ldns-users] OpenSSL context configuration

Jeffrey Walton noloader at gmail.com
Wed Feb 5 16:27:30 UTC 2020


Hi Everyone,

I was looking at the code used to configure a context.
SSL_CTX_new(TLS_client_method()) is good to see. I have three feedback
items.

First, when using TLS_client_method(), also use SSL_OP_NO_SSLv3.
TLS_client_method() allows SSLv3. There's no need for SSLv3 nowadays.
SSL_OP_NO_SSLv3 gets set on the resulting context object:

    ssl_ctx = SSL_CTX_new(TLS_client_method());
    long flags = SSL_OP_NO_SSLv3;
    SSL_CTX_set_options(ssl_ctx , flags);

Second, use SSL_OP_NO_COMPRESSION if possible. CRIME and BREACH showed
higher level protocols like HTTPS can leak information. There's no
sense in adding the attack surface when compression is not needed.
SSL_OP_NO_COMPRESSION gets set on the resulting context object:

    ssl_ctx = SSL_CTX_new(TLS_client_method());
    long flags = SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION ;
    SSL_CTX_set_options(ssl_ctx , flags);

You might also look for badly configured TLS clients. These come from
folks who don't pay attention to configuration options in OpenSSL
1.0.1 and 1.0.2 (they are disabled by default in OpenSSL 1.1.x):

    long flags = 0;
    #ifdef SSL_OP_NO_SSLv2
        flags |= SSL_OP_NO_SSLv2;
    #endif
    #ifdef SSL_OP_NO_SSLv3
        flags |= SSL_OP_NO_SSLv3 ;
    #endif
    #ifdef SSL_OP_NO_COMPRESSION
        flags |= SSL_OP_NO_COMPRESSION ;
    #endif

Third, use X509_V_FLAG_PARTIAL_CHAIN if possible. This allows someone
to root trust in an intermediate CA of their choosing, like Let's
Encrypt. Without X509_V_FLAG_PARTIAL_CHAIN , one needs to accept the
additional risk of the entire PKI of ISRG and IdentTrust. (Let's
Encrypt is an intermediate certificate, and it is cross-certified by
ISRG and IdentTrust).

Most often then not in the HTTPS world, X509_V_FLAG_PARTIAL_CHAIN is
not used and the entire CA Zoo from cacert.pem is used. That means
users are accepting risk from the entire PKI of 137 CAs - client
certs, server certs, code signing certs, etc.

Being overly permissive in the trust department allowed Diginotar to
MitM Google users and other users. More recently Symantec was kicked
out of the Chrome and Mozilla CA program because they were issuing
certs for domains not under their administrative control. The failures
happen in practice.

To use X509_V_FLAG_PARTIAL_CHAIN , set the flag with
X509_VERIFY_PARAM_set_flags.

Jeff


More information about the ldns-users mailing list