From patchwork Sun Jan 21 01:28:57 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1621
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id 9146C60329
	for <patchwork@ipfire.org>; Sat, 20 Jan 2018 15:29:09 +0100 (CET)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 0B6E14555;
	Sat, 20 Jan 2018 15:29:09 +0100 (CET)
Received: from mx.link38.eu (mx.link38.eu [188.68.43.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mx.link38.eu",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 59A5A4542
	for <development@lists.ipfire.org>;
	Sat, 20 Jan 2018 15:29:05 +0100 (CET)
X-Virus-Scanned: ClamAV at mx.link38.eu
Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu
	[10.141.75.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx.link38.eu (Postfix) with ESMTPS id 5AB0940127
	for <development@lists.ipfire.org>;
	Sat, 20 Jan 2018 15:29:00 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 66ED99F13A
	for <development@lists.ipfire.org>;
	Sat, 20 Jan 2018 15:28:58 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711;
	t=1516458538; x=1579530538;
	bh=dt5lhkpkOXhRyO07/jBet2A4ABEhPkM55SLBbgiDuHc=;
	h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date:
	Cc;
	b=wVduRbWgTz4Qqrw6z4i+vckRnjKyT4LwXRasV0y/zxpsv/c4hppQ+JatoRED4/nsO
	gJOPuIl0/no4GJo7sw8NDGUHte2q7fekzmDh5jK9Bu0efyQbcAEq6IOlNpAXTwXGpr
	VlsknXFpURbRwpDyvUY2LE23F9k2Ilw2xqpRA4fOyjU4LZjTSVbgcnK74ONo2e5Tyw
	gVuzRuIqpuwFKu5em6yXS7+lZQDt0UTvEs4qr+QFV8CeaOnyrqe0R5tCqGDiXwA7il
	8YT/sC6SvBxOvjH+T6x2uxl07unsc/dADIlVtUkKvqQttZQC6woL7gv7GqwG4jYBbv
	nQ79P2bmQvcKw==
Date: Sat, 20 Jan 2018 15:28:57 +0100
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: "development@lists.ipfire.org" <development@lists.ipfire.org>
Subject: [PATCH] set OpenSSL DEFAULT cipher list to secure value
Message-ID: <20180120152857.538069c6.peter.mueller@link38.eu>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Only use secure cipher list for the OpenSSL DEFAULT list:
* ECDSA is preferred over RSA since it is faster and more scalable
* TLS 1.2 suites are preferred over anything older
* weak ciphers such as RC4 and 3DES have been eliminated
* AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem)
* ciphers without PFS are moved to the end of the cipher list

The DEFAULT cipher list is now ("openssl ciphers -v"):

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/2017-12-04).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Cc: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/openssl                                   |  2 +-
 src/patches/openssl-1.0.2n-weak-ciphers.patch | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 src/patches/openssl-1.0.2n-weak-ciphers.patch

diff --git a/lfs/openssl b/lfs/openssl
index 6050768ec..65d738d0f 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -126,7 +126,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ciphers.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2n-weak-ciphers.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch
 
 	# i586 specific patches
diff --git a/src/patches/openssl-1.0.2n-weak-ciphers.patch b/src/patches/openssl-1.0.2n-weak-ciphers.patch
new file mode 100644
index 000000000..9fb4051e3
--- /dev/null
+++ b/src/patches/openssl-1.0.2n-weak-ciphers.patch
@@ -0,0 +1,12 @@
+diff -Naur openssl-1.0.2n-orig/ssl/ssl.h openssl-1.0.2n/ssl/ssl.h
+--- openssl-1.0.2n-orig/ssl/ssl.h	2017-12-07 14:16:42.000000000 +0100
++++ openssl-1.0.2n/ssl/ssl.h	2018-01-20 11:56:02.477927590 +0100
+@@ -338,7 +338,7 @@
+  * The following cipher list is used by default. It also is substituted when
+  * an application-defined cipher list string starts with 'DEFAULT'.
+  */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
++# define SSL_DEFAULT_CIPHER_LIST "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+kRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!kECDH:!IDEA:!SEED:!RC4:!kDH:!DSS"
+ /*
+  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+  * starts with a reasonable order, and all we have to do for DEFAULT is