Discussion:
Is it possible to disable SSLv3 for all openssl-enabled applications via settings in openssl.cnf?
Todd Pfaff
2014-10-15 21:56:09 UTC
Permalink
I'd like to be able to disable SSLv3 for all openssl-enabled applications
in a single configuration file if possible, so that this doesn't have to
be done for each application.

I realize that this could be done by building openssl from source but
I imagine it could also be possible to configure this via openssl.cnf.

I've done plenty of reading and searching today and haven't found any
documentation describing if and how this can be done.

There is an old thread here from 2011-09-02 with a similar question
in regard to SSLv2:

http://marc.info/?l=openssl-users&m=131498558227525&w=2

and if I understand what's said in that thread this can be done by
configuring the cipherlist in openssl.cnf to a set that limits the
available protocols (ie. set cipherlist to ciphers that don't include
SSL I guess).

However, also based on what's said in that thread, it sounds like the
setting of cipherlist in openssl.cnf doesn't necessarily limit an
application from using other openssl ciphers. Is that true? Or am I
misinterpreting what I read in that thread? And perhaps has the situation
changed since 2011-09-02?

Can anyone provide a clear example openssl.cnf that shows how this could
be done? If possible, preferably an example that is based on the default
/etc/pki/tls/openssl.cnf in a Centos 6.5 installation from this package:
openssl-1.0.1e-16.el6_5.15.x86_64.

Thanks,
tp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Salz, Rich
2014-10-15 22:31:40 UTC
Permalink
I'd like to be able to disable SSLv3 for all openssl-enabled applications in a
single configuration file if possible, so that this doesn't have to be done for
each application.
No it's not possible.

Not enhancement idea, tho.
--
Principal Security Engineer, Akamai Technologies
IM: rsalz-dbVaDHFsUTizQB+***@public.gmane.org Twitter: RichSalz

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Salz, Rich
2014-10-15 22:53:14 UTC
Permalink
Post by Salz, Rich
Post by Todd Pfaff
I'd like to be able to disable SSLv3 for all openssl-enabled
applications in a single configuration file if possible, so that this
doesn't have to be done for each application.
No it's not possible.
Not enhancement idea, tho.
AARGH. "Nice" enhancement idea.

--
Principal Security Engineer, Akamai Technologies
IM: rsalz-dbVaDHFsUTizQB+***@public.gmane.org Twitter: RichSalz

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dmitry Belyavsky
2014-10-16 05:06:18 UTC
Permalink
Hello Rich,

Unfortunately not all applications read the openssl config file...
Post by Salz, Rich
Post by Salz, Rich
Post by Todd Pfaff
I'd like to be able to disable SSLv3 for all openssl-enabled
applications in a single configuration file if possible, so that this
doesn't have to be done for each application.
No it's not possible.
Not enhancement idea, tho.
AARGH. "Nice" enhancement idea.
--
Principal Security Engineer, Akamai Technologies
______________________________________________________________________
OpenSSL Project http://www.openssl.org
--
SY, Dmitry Belyavsky
Todd Pfaff
2014-10-16 12:15:56 UTC
Permalink
Does the openssl library not read the config file thereby enforcing
what is available to all applications that use the openssl library?
Or am I being too optimistic?

What behaviour exists within the openssl library when it is built and
configured with options to disable certain protocols or ciphers that
could not be duplicated with runtime configuration options? I realize
that those runtime configuration options may not yet exist - they do not
according to Rich's response to my previous email - but that is what I
was hoping for when I asked my question yesterday.

If this behaviour is not possible in openssl, I'm now wondering how
feasible it would be to interpose a library to intercept openssl calls
and modify application requests for protocols or ciphers.

tp
Post by Dmitry Belyavsky
Hello Rich,
Unfortunately not all applications read the openssl config file...
=20
Post by Salz, Rich
Post by Todd Pfaff
I'd like to be able to disable SSLv3 for all openssl-enabled
applications in a single configuration file if possible, so
that this
Post by Salz, Rich
Post by Todd Pfaff
doesn't have to be done for each application.
No it's not possible.
Not enhancement idea, tho.
AARGH.=A0 "Nice" enhancement idea.
--
Principal Security Engineer, Akamai Technologies
___________________________________________________________________=
___
Post by Dmitry Belyavsky
OpenSSL Project=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0
Post by Dmitry Belyavsky
=A0http://www.openssl.org
User Support Mailing List=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0
Automated List Manager=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0
Post by Dmitry Belyavsky
=20
=20
=20
=20
--
SY, Dmitry Belyavsky
=20
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Harakiri
2014-10-16 12:59:33 UTC
Permalink
Im getting the following error

using openssl x509 -inform DER -in cms_cert.der -text

140026491385512:error:100D7010:elliptic curve routines:ECKEY_PUB_DECODE:EC lib:ec_ameth.c:206:
140026491385512:error:0B07707D:x509 certificate routines:X509_PUBKEY_get:public key decode error:x_pubkey.c:164:

I found a message stating that:

"Your public key parameter field is set to NULL. It must either be an OID
to name the curve, or explicit parameters."


Does this apply to the pkey i have attached to this message too ?

Windows does not complain about the key tho.

Is the key RFC conform (its not mine, but i have to validate it) ?

Thanks
Salz, Rich
2014-10-16 13:30:53 UTC
Permalink
Does the openssl library not read the config file thereby enforcing what is
available to all applications that use the openssl library?
No it does not.
What behaviour exists within the openssl library when it is built and
configured with options to disable certain protocols or ciphers that could not
be duplicated with runtime configuration options?
Many things. Making a list of be an interesting and useful exercise, but nobody's ever done it.
If this behaviour is not possible in openssl, I'm now wondering how feasible it
would be to interpose a library to intercept openssl calls and modify
application requests for protocols or ciphers.
It would be highly platform specific, but it is fairly feasible. It won't catch everything. For example, an application could set the mode bits directly (we've seen it), rather than call SSL_ctrl().

The safest code is that which doesn't exist. #ifdef is a better defense, if you can afford it (some can't use it because they need runtime behavior control).
--
Principal Security Engineer, Akamai Technologies
IM: rsalz-dbVaDHFsUTizQB+***@public.gmane.org Twitter: RichSalz

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Erwann Abalea
2014-10-16 08:42:51 UTC
Permalink
Would you like all your OpenSSL-enabled applications to be configured
all the same, with the same protocols and same ciphersuites?
--
Erwann ABALEA
Post by Todd Pfaff
I'd like to be able to disable SSLv3 for all openssl-enabled applications
in a single configuration file if possible, so that this doesn't have to
be done for each application.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Todd Pfaff
2014-10-16 13:20:35 UTC
Permalink
Would you like all your OpenSSL-enabled applications to be configured all the
same, with the same protocols and same ciphersuites?
No. I was just wondering whether it was possible to exclude support for
SSLv3 at runtime in one place for all openssl-enabled applications, rather
than having to rebuild openssl from source to achieve this same result.

tp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...