Context options and SSL_MODE_SEND_FALLBACK

Discussion:

Context options and SSL_MODE_SEND_FALLBACK_SCSV

Jeffrey Walton

2014-10-15 21:53:12 UTC

I have a question on the intersection of Patch to mitigate
CVE-2014-3566 ("POODLE") [0] and context options.

If the context options are set to remove SSLv3:

SSL_CTX* ctx = ...
long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);

Then is the following needed from [0]:

SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV)

I suspect not, but I want to make sure I'm not missing something
obvious (or getting myself into a bad state).

[0] https://groups.google.com/d/msg/mailing.openssl.users/qq4Jc9SffAs/fYMLO8aF9cgJ
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Salz, Rich

2014-10-15 22:01:38 UTC

Permalink

Post by Jeffrey Walton
SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV)

You might care about fallback from TLS 1.2 (which has PFS) to TLS 1.1 (which doesn't).

I recommend that you always set that flag.

--
Principal Security Engineer, Akamai Technologies
IM: ***@jabber.me Twitter: RichSalz

�zt�,��-��i��0^��%��Һ�h��X��^��%�ǫ��(z��e��F��)��br ��+

Giuseppe D'Angelo

2014-10-16 20:12:48 UTC

Permalink

Hi,

Post by Salz, Rich
I recommend that you always set that flag.

Do I need to detect which OpenSSL version I have before setting that
flag (otherwise it would break the application) or can I always safely
set it on a SSL context?

In other words: I'd like to do something like

#ifndef SSL_MODE_SEND_FALLBACK_SCSV
#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
#endif

SSL_CTX_set_mode(ctx, SSL_MODE_SEND_FALLBACK_SCSV)

in order to have my app always do "the right thing", without adding a
bunch of intricate version checks, and having it working automagically
when the system OpenSSL libraries get updated. Is it a good idea?

Thanks,

--
Giuseppe D'Angelo | giuseppe.dangelo-***@public.gmane.org | Software Engineer
KDAB (UK) Ltd., a KDAB Group company
Tel. UK +44-1738-450410, Sweden (HQ) +46-563-540090
KDAB - Qt Experts - Platform-independent software solutions

Salz, Rich

2014-10-16 23:11:13 UTC

Permalink

Post by Giuseppe D'Angelo
#ifndef SSL_MODE_SEND_FALLBACK_SCSV
#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
#endif

That will not work. You can do this:
#ifdef SSL_MODE_SEND_FALLBACK_SCSV
SSL_CTX_set_mode(ctx, SSL_MODE_SEND_FALLBACK_SCSV)
#endif

But that is not the same thing.

You cannot just slip SCSV into an application without code changes to the application and to openssl.

--
Principal Security Engineer, Akamai Technologies
IM: ***@jabber.me Twitter: RichSalz

��H��7��m��
)z{,��RǫJ�i��Lj)b��)z{,��M��B���&jw��

Giuseppe D'Angelo

2014-10-17 08:10:03 UTC

Permalink

Post by Salz, Rich
#ifdef SSL_MODE_SEND_FALLBACK_SCSV
SSL_CTX_set_mode(ctx, SSL_MODE_SEND_FALLBACK_SCSV)
#endif
But that is not the same thing.
You cannot just slip SCSV into an application without code changes to the application and to openssl.

Yep, and the problem is that I control the application, not which
OpenSSL version is installed. Therefore I wanted to future-proof my
application, so when OpenSSL gets upgraded to a version which supports
SSL_MODE_SEND_FALLBACK_SCSV, everything will work *without* also
recompiling the application.

Thus: the manual #define and the call in all cases. I'm fine if it's a
no-op if OpenSSL doesn't support SSL_MODE_SEND_FALLBACK_SCSV, the
important thing is that it doesn't break anything...

Thanks,

Florian Weimer

2014-10-17 09:05:15 UTC

Permalink

Post by Giuseppe D'Angelo
Yep, and the problem is that I control the application, not which
OpenSSL version is installed. Therefore I wanted to future-proof my
application, so when OpenSSL gets upgraded to a version which supports
SSL_MODE_SEND_FALLBACK_SCSV, everything will work *without* also
recompiling the application.
Thus: the manual #define and the call in all cases. I'm fine if it's a
no-op if OpenSSL doesn't support SSL_MODE_SEND_FALLBACK_SCSV, the
important thing is that it doesn't break anything...

Do you downgrade the support protocols on handshake failures, like web
browsers do?

If not, then you cannot use SSL_MODE_SEND_FALLBACK_SCSV in any way, and
you do not need it, either.

--
Florian Weimer / Red Hat Product Security
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Giuseppe D'Angelo

2014-10-17 21:40:07 UTC

Permalink

Post by Florian Weimer
Do you downgrade the support protocols on handshake failures, like web
browsers do?

Not explicitely. I think it's my fault at understanding the issue -- I
somehow that that could be the case when using

SSL_CTX_new(SSLv23_client_method())

which is what I actually have in the code.

Post by Florian Weimer
If not, then you cannot use SSL_MODE_SEND_FALLBACK_SCSV in any way, and
you do not need it, either.

Ok, then I definitely misunderstood Rich's suggestion (earlier in the
thread) about "I recommend that you always set that flag.".

Thank you for the clarifications.

Regards,

Salz, Rich

2014-10-17 13:06:39 UTC

Permalink

Post by Salz, Rich

Post by Jeffrey Walton
SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV)

You might care about fallback from TLS 1.2 (which has PFS) to TLS 1.1 (which
doesn't).
I recommend that you always set that flag.

Two clarifications: TLS 1.2 (with AEAD) to TLS 1.1 (doesn't). Or TLS 1.1 (PFS) to TLS 1.0.

And by always, I meant always set it whenever you fall back. Not always every single time. :)

--
Principal Security Engineer, Akamai Technologies
IM: ***@jabber.me Twitter: RichSalz

�zt�,��-��i��0^��%��Һ�h��X��^��%�ǫ��(z��e��F��)��br ��+