[ldns-users] OpenSSL context configuration

Willem Toorop willem at nlnetlabs.nl
Thu Feb 6 11:04:15 UTC 2020 

This is very insightful, thanks!  Would it be possible for you to turn
these recommendations into a pull request on our github repo?

i.e.: https://github.com/NLnetLabs/ldns


Op 05-02-2020 om 17:27 schreef Jeffrey Walton via ldns-users:
> Hi Everyone,
> 
> I was looking at the code used to configure a context.
> SSL_CTX_new(TLS_client_method()) is good to see. I have three feedback
> items.
> 
> First, when using TLS_client_method(), also use SSL_OP_NO_SSLv3.
> TLS_client_method() allows SSLv3. There's no need for SSLv3 nowadays.
> SSL_OP_NO_SSLv3 gets set on the resulting context object:
> 
>     ssl_ctx = SSL_CTX_new(TLS_client_method());
>     long flags = SSL_OP_NO_SSLv3;
>     SSL_CTX_set_options(ssl_ctx , flags);
> 
> Second, use SSL_OP_NO_COMPRESSION if possible. CRIME and BREACH showed
> higher level protocols like HTTPS can leak information. There's no
> sense in adding the attack surface when compression is not needed.
> SSL_OP_NO_COMPRESSION gets set on the resulting context object:
> 
>     ssl_ctx = SSL_CTX_new(TLS_client_method());
>     long flags = SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION ;
>     SSL_CTX_set_options(ssl_ctx , flags);
> 
> You might also look for badly configured TLS clients. These come from
> folks who don't pay attention to configuration options in OpenSSL
> 1.0.1 and 1.0.2 (they are disabled by default in OpenSSL 1.1.x):
> 
>     long flags = 0;
>     #ifdef SSL_OP_NO_SSLv2
>         flags |= SSL_OP_NO_SSLv2;
>     #endif
>     #ifdef SSL_OP_NO_SSLv3
>         flags |= SSL_OP_NO_SSLv3 ;
>     #endif
>     #ifdef SSL_OP_NO_COMPRESSION
>         flags |= SSL_OP_NO_COMPRESSION ;
>     #endif
> 
> Third, use X509_V_FLAG_PARTIAL_CHAIN if possible. This allows someone
> to root trust in an intermediate CA of their choosing, like Let's
> Encrypt. Without X509_V_FLAG_PARTIAL_CHAIN , one needs to accept the
> additional risk of the entire PKI of ISRG and IdentTrust. (Let's
> Encrypt is an intermediate certificate, and it is cross-certified by
> ISRG and IdentTrust).
> 
> Most often then not in the HTTPS world, X509_V_FLAG_PARTIAL_CHAIN is
> not used and the entire CA Zoo from cacert.pem is used. That means
> users are accepting risk from the entire PKI of 137 CAs - client
> certs, server certs, code signing certs, etc.
> 
> Being overly permissive in the trust department allowed Diginotar to
> MitM Google users and other users. More recently Symantec was kicked
> out of the Chrome and Mozilla CA program because they were issuing
> certs for domains not under their administrative control. The failures
> happen in practice.
> 
> To use X509_V_FLAG_PARTIAL_CHAIN , set the flag with
> X509_VERIFY_PARAM_set_flags.
> 
> Jeff
> _______________________________________________
> ldns-users mailing list
> ldns-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/ldns-users
>

More information about the ldns-users mailing list