openstack/security-doc
Code Issues Proposed changes

Correct line-wrapping width for OSSN-0045

Browse Source 
Security Notes are supposed to be line-wrapped at 72 characters to
allow the formatting to be preserved in popular mail clients.  This
corrects the line-wrapping width for OSSN-0045.

Change-Id: Ifec7dfa67febe3fdab793c4ca196841cb9c66ffe
This commit is contained in:
Nathan Kinder
2015-03-11 10:55:12 -07:00
parent e4936e60a4
commit eb29871f04
1 changed files with 48 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
security-notes/OSSN-0045
View File

@@ -2,12 +2,13 @@ Vulnerable clients allow a TLS protocol downgrade (FREAK)
--- ---
### Summary ### ### Summary ###
Some client-side libraries, including un-patched versions of OpenSSL, contain a Some client-side libraries, including un-patched versions of OpenSSL,
vulnerability which can allow a man-in-the-middle (MITM) to force a TLS version contain a vulnerability which can allow a man-in-the-middle (MITM) to
downgrade. Even though this vulnerability exists in the client side, an attack force a TLS version downgrade. Even though this vulnerability exists in
known as FREAK is exploitable when TLS servers offer weak cipher choices. This the client side, an attack known as FREAK is exploitable when TLS
security note provides guidance to mitigate the FREAK attack on the server side, servers offer weak cipher choices. This security note provides guidance
so that TLS provides reasonable security for even un-patched clients. to mitigate the FREAK attack on the server side, so that TLS provides
reasonable security for even un-patched clients.
### Affected Services / Software ### ### Affected Services / Software ###
Any service using TLS. Depending on the backend TLS library, this Any service using TLS. Depending on the backend TLS library, this
@@ -21,50 +22,54 @@ can include many components of an OpenStack cloud:
- Miscellaneous services (eventlet, syslog, ldap, smtp, etc) - Miscellaneous services (eventlet, syslog, ldap, smtp, etc)
### Discussion ### ### Discussion ###
TLS connections are established by a process known as a TLS handshake. During TLS connections are established by a process known as a TLS handshake.
this process a client first sends a message to the server known as "HELLO", During this process a client first sends a message to the server known
where among other things the client lists all of the TLS encryption ciphers it as "HELLO", where among other things the client lists all of the TLS
supports. In the next step, the server responds with its own "HELLO" packet, in encryption ciphers it supports. In the next step, the server responds
which the server picks one of the cipher options the client offered. After this with its own "HELLO" packet, in which the server picks one of the cipher
the client and server continue on to securely exchange a secret which becomes a options the client offered. After this the client and server continue on
master key. to securely exchange a secret which becomes a master key.
The FREAK attack exploits a flaw in client logic in which vulnerable clients The FREAK attack exploits a flaw in client logic in which vulnerable
don't actually check that the cipher which was selected by the server was one clients don't actually check that the cipher which was selected by the
they had offered in the first place. This creates the possibility that an server was one they had offered in the first place. This creates the
attacker on the network somewhere between the client and server can alter the possibility that an attacker on the network somewhere between the client
client's HELLO packet, removing all choices except for really weak ciphers known and server can alter the client's HELLO packet, removing all choices
as "export grade ciphers". If the server supports these weak ciphers, it will except for really weak ciphers known as "export grade ciphers". If the
(regretfully) chose it, as it appears that this is the only option that the server supports these weak ciphers, it will (regretfully) chose it, as
client supports, and send it back in the server HELLO message. it appears that this is the only option that the client supports, and
send it back in the server HELLO message.
Export grade ciphers are a legacy of a time when the US government prohibited Export grade ciphers are a legacy of a time when the US government
the export of cryptographic ciphers which were stronger than 512 bits for prohibited the export of cryptographic ciphers which were stronger than
asymmetric ciphers and 40 bits for symmetric ciphers. Today these ciphers are 512 bits for asymmetric ciphers and 40 bits for symmetric ciphers. Today
easily and quickly crackable using commodity hardware or cloud resources. these ciphers are easily and quickly crackable using commodity hardware
or cloud resources.
### Recommended Actions ### ### Recommended Actions ###
Since this is a vulnerability in client logic, the best option is to ensure that Since this is a vulnerability in client logic, the best option is to
all clients update to the latest version of the affected library. For more ensure that all clients update to the latest version of the affected
details about upgrading OpenSSL please see the link to the OpenSSL advisory in library. For more details about upgrading OpenSSL please see the link to
the "Further discussion" section below. Since it is unfeasible to assume that the OpenSSL advisory in the "Further discussion" section below. Since it
all clients have updated, we should also mitigate this on the TLS server-side. is unfeasible to assume that all clients have updated, we should also
mitigate this on the TLS server-side.
To mitigate the FREAK attack on the server side, we need to remove support for To mitigate the FREAK attack on the server side, we need to remove
any ciphers which are weak. This is to prevent a MITM from forcing the support for any ciphers which are weak. This is to prevent a MITM from
negotiation of a weak cipher. In particular we need to remove support for any forcing the negotiation of a weak cipher. In particular we need to
export grade ciphers, which are especially weak. remove support for any export grade ciphers, which are especially weak.
The first step is to find what versions your TLS server currently supports. The first step is to find what versions your TLS server currently
Two useful solutions exist for this: SSL Server Test at Qualys SSL Labs can be supports. Two useful solutions exist for this: SSL Server Test at
used to scan any web accessible endpoints, and SSLScan is a command line tool Qualys SSL Labs can be used to scan any web accessible endpoints, and
which attempts a TLS connection to a server with all possible cipher suites. SSLScan is a command line tool which attempts a TLS connection to a
Please see "tools" below for links to both. server with all possible cipher suites. Please see "tools" below for
links to both.
The specific steps required to configure which cipher suites are supported in a The specific steps required to configure which cipher suites are
TLS deployment depend on the software and configuration, and are beyond the supported in a TLS deployment depend on the software and configuration,
scope of this note. Some good starting places are provided below in the section: and are beyond the scope of this note. Some good starting places are
"Resources for configuring TLS options". provided below in the section: "Resources for configuring TLS options".
### Contacts / References ### ### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0045 This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0045