From patchwork Tue Dec 4 12:00:08 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrej Shadura X-Patchwork-Id: 1007586 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=collabora.co.uk Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="Qf6mIaNE"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 438L6n20Dfz9s55 for ; Tue, 4 Dec 2018 23:01:05 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=ZuHaADcXYF/Gq23IvCnvYDBGpM78ERq/cvIbvIWAbTw=; b=Qf6mIaNEk1HLxF w8yTAEsHYVX/KBUA2S9RcuOkpuBrV4kPAZahEOl29UrnErSGIobXhVPNchIpT1RtfpmmM01Sxxybi WOHvBjPb2AfVVRvOxuKNXcmJ9xz8TZB0zr+dMG4WQ9Wq58mOVZJgrcCwShRe9uhSlMxFaV5Q0PqIU fqRnQzZEKEmZAiYiBNpZI76h6UO9ibu3IOZjCpRZ/KpevlcRzwRGY/5T4n5V9ZYJE3LyARD/l2r7g XzCNk8YBAl54/AaBBLHUAauHzss9cM5VS5+5p8eQXxJvTPQH5td+9nzr48NdTBZS6Oe9RQwgv59a6 bH1U6KJu67DV8N+Vby/g==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gU9Na-0004R7-8P; Tue, 04 Dec 2018 12:00:42 +0000 Received: from bhuna.collabora.co.uk ([2a00:1098:0:82:1000:25:2eeb:e3e3]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gU9NW-0004QG-4H for hostap@lists.infradead.org; Tue, 04 Dec 2018 12:00:40 +0000 Received: from localhost (2a02-ab04-03b9-5e00-0000-0000-0000-0003.dynamic.v6.chello.sk [IPv6:2a02:ab04:3b9:5e00::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: andrewsh) by bhuna.collabora.co.uk (Postfix) with ESMTPSA id E676026D2EE; Tue, 4 Dec 2018 12:00:23 +0000 (GMT) From: Andrej Shadura To: hostap@lists.infradead.org Subject: [RFC] Disable TLSv1.0 by default, but allow enabling it Date: Tue, 4 Dec 2018 13:00:08 +0100 Message-Id: <20181204120008.6115-1-andrew.shadura@collabora.co.uk> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181204_040038_303507_569CEFAC X-CRM114-Status: GOOD ( 10.14 ) X-Spam-Score: -0.0 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 911297@bugs.debian.org, 907518@bugs.debian.org, Kurt Roeckx Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Andrej Shadura This patch is not intended to be merged into the upstream code, but I would still like to receive comments from people involved in development. In the Debian bug reports #907518 and #911297 (see below), people complained that OpenSSL 1.1.1 disables TLSv1.0 and some other insecure settings by default, but some older networks may still require their support: wpa_supplicant[523]: OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error wpa_supplicant[523]: OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib wpa_supplicant[523]: OpenSSL: pending error: error:140C618E:SSL routines:SSL_use_certificate:ca md too weak wpa_supplicant[523]: TLS: Failed to set TLS connection parameters wpa_supplicant[523]: EAP-TLS: Failed to initialize SSL. wpa_supplicant[523]: wlp4s0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS) Some of those issues can be overrided by adding openssl_ciphers=DEFAULT@SECLEVEL=1 to the wpa config, but e.g. Kurt Roeckx complained that the minimum TLS version is still 1.2: ssl_choose_client_version:version too low Unlike ciphers, that cannot be overridden in the wpa config, since tls_disable_tlsv1_0 only allows disabling TLS versions, not enabling them back if the default version is too high. I intend to apply the patch below to wpa in Debian, which will enable switching TLSv1.0 back if necessary by adding tls_disable_tlsv1_0=0 to the config. As I don't possess much knowledge of OpenSSL, and I would like to avoid a potential repeat of the weak security issue Debian had in the past, I'd like people here to have a look and comment on this. Thanks in advance. Andrej References: [1]: https://bugs.debian.org/907518 [2]: https://bugs.debian.org/911297 diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 0d5ebda..39994f7 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2498,8 +2498,10 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, #ifdef SSL_OP_NO_TLSv1 if (flags & TLS_CONN_DISABLE_TLSv1_0) SSL_set_options(ssl, SSL_OP_NO_TLSv1); - else + else { + SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); SSL_clear_options(ssl, SSL_OP_NO_TLSv1); + } #endif /* SSL_OP_NO_TLSv1 */ #ifdef SSL_OP_NO_TLSv1_1 if (flags & TLS_CONN_DISABLE_TLSv1_1) diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 0de1315..d4fb454 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -151,6 +151,10 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, struct eap_peer_config *config, int phase2) { os_memset(params, 0, sizeof(*params)); + + /* Debian change: disable TLSv1.0 by default but allow overriding it */ + params->flags |= TLS_CONN_DISABLE_TLSv1_0; + if (sm->workaround && data->eap_type != EAP_TYPE_FAST) { /* * Some deployed authentication servers seem to be unable to