Version: (using KDE KDE 3.1) Installed from: Compiled From Sources OS: Linux Acording to the recommendations in the TLS RFC2246 no ADH ciphers should be used since they are vulnerable to man-in-the-middle attacks: From RFC2246 section 11.5 (A.5) "The following cipher suites are used for completely anonymous Diffie-Hellman communications in which neither party is authenticated. Note that this mode is vulnerable to man-in-the-middle attacks and is therefore deprecated. CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 }; CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 }; CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 }; CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00,0x1A }; CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B }; " The default settings in kcmcrypto enable the following 3 ADH modes: ADH-DES-CBC3-SHA ADH-DES-CBC-SHA ADH-RC4-MD5 This enables any rogue web site to intercepting your traffic to use these ciphers to establish a secure connection without providing any valid SSL certificate. For comparison both Mozilla-1.2.1 & MSIE-5.5 make it impossible for the user to ever enable any ADH based cipher (at least through the cipher config UI dialogs) I belive this is a security vulnerability so I have raised it at the highest "crash" priority so it hopefully gets fixed soon. At a minimum I think these ciphers should not be enabled by default. Perhaps they should be removed or generate a specific warning. I have tried configuring a server to do "ADH" ciphers only and I can not get Konqueror to connect. It reports: "The process for the https://localhost protocol died unexpectedly." Perhaps there is another problem which prevents them being used.
Subject: Re: New: ADH ciphers should be disabled by default (vulnerable to MITM see RFC2246) Thanks for the great bug report. I will disable ADH ciphers. I don't know why it crashes for you though. That's odd. Anyways I would have hoped that OpenSSL would have some information regarding this issue, or at least disable it and require a special flag to enable it. I'll disable ADH ciphers asap. On Friday 14 February 2003 07:46, you wrote: > Acording to the recommendations in the TLS RFC2246 no ADH ciphers should be > used since they are vulnerable to man-in-the-middle attacks: > > From RFC2246 section 11.5 (A.5) > > "The following cipher suites are used for completely anonymous > Diffie-Hellman communications in which neither party is > authenticated. Note that this mode is vulnerable to man-in-the-middle > attacks and is therefore deprecated. > > CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 }; > CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 }; > CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 }; > CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00,0x1A }; > CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B }; > " > > The default settings in kcmcrypto enable the following 3 ADH modes: > ADH-DES-CBC3-SHA > ADH-DES-CBC-SHA > ADH-RC4-MD5 > > This enables any rogue web site to intercepting your traffic to use these > ciphers to establish a secure connection without providing any valid SSL > certificate. > > For comparison both Mozilla-1.2.1 & MSIE-5.5 make it impossible for the > user to ever enable any ADH based cipher (at least through the cipher > config UI dialogs) > > I belive this is a security vulnerability so I have raised it at the > highest "crash" priority so it hopefully gets fixed soon. At a minimum I > think these ciphers should not be enabled by default. Perhaps they should > be removed or generate a specific warning. > > I have tried configuring a server to do "ADH" ciphers only and I can not > get Konqueror to connect. It reports: "The process for the > https://localhost protocol died unexpectedly." Perhaps there is another > problem which prevents them being used.
Subject: KDE_3_1_BRANCH: kdelibs/kio/kssl CVS commit by staikos: Fix #54634 Minor (arguably very minor) security impact. CCMAIL: 54634-done@bugs.kde.org M +21 -6 ksslsettings.cc 1.24.2.2 --- kdelibs/kio/kssl/ksslsettings.cc #1.24.2.1:1.24.2.2 @@ -149,8 +149,10 @@ QString clist = ""; if (k == 0) { // do v2, then v3 - if (!m_bUseSSLv2) continue; + if (!m_bUseSSLv2) + continue; m_cfg->setGroup("SSLv2"); } else { - if (!m_bUseSSLv3) continue; + if (!m_bUseSSLv3) + continue; m_cfg->setGroup("SSLv3"); } @@ -170,5 +172,6 @@ QString clist = ""; for(int i = 0;; i++) { SSL_CIPHER *sc = (meth->get_cipher)(i); - if (!sc) break;; + if (!sc) + break; tcipher.sprintf("cipher_%s", sc->name); int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL); @@ -176,7 +179,9 @@ QString clist = ""; if (m_cfg->readBoolEntry(tcipher, bits >= 56)) { CipherNode *xx = new CipherNode(sc->name,bits); - if (!cipherSort.contains(xx)) + if (!cipherSort.contains(xx)) { cipherSort.inSort(xx); - else delete xx; + } else { + delete xx; + } } // if } // for i @@ -209,4 +213,15 @@ QString clist = ""; #undef AdjustCipher + // Remove any ADH ciphers as per RFC2246 + for (unsigned int i = 0; i < cipherSort.count(); i++) { + CipherNode *j = 0L; + while ((j = cipherSort.at(i)) != 0L) { + if (j->name.left(3) == "ADH") { + cipherSort.remove(j); + } else { + break; + } + } + } // now assemble the list cipher1:cipher2:cipher3:...:ciphern
From the look of the code above, it is disabling all "ADH*" ciphers. You might want to catch these two as well. They are not enabled by default since the are only 40bit: EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 There is some more info as part of the Apache SSL FAQ at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html "I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no shared cipher'' errors? In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough to just put ``ADH'' into your SSLCipherSuite. Additionally you have to build OpenSSL with ``-DSSL_ALLOW_ADH''. Because per default OpenSSL does not allow ADH ciphers for security reasons. So if you are actually enabling these ciphers make sure you are informed about the side-effects. "
I was thinking the defaults in kdebase/kcontrol/crypto/crypto.cpp would be changed to not select them as one of the defaults. Am I correct in thinking that the pactch above makes it impossible for the user to use ADH even if he chooses to enable it? There are many other unsafe NULL ciphers which we still allow the user to select, I'm not sure I agree with completely disabling them. It is more confusing that the user can still enable them in the config tool and find that they still do not get used. Would it be better to add an "Allow unsafe ciphers" tickbox to the config? I'll re-open the bug to remind you the two "EXP-ADH" ciphers should be dealt with as well (even if you decide to ignore the rest of this comment.)
Subject: Re: ADH ciphers should be disabled by default (vulnerable to MITM see RFC2246) On Friday 14 February 2003 13:58, you wrote: > ------- Additional Comments From jon_burgess@3com.com 2003-02-14 19:58 > ------- I was thinking the defaults in kdebase/kcontrol/crypto/crypto.cpp > would be changed to not select them as one of the defaults. Am I correct in > thinking that the pactch above makes it impossible for the user to use ADH > even if he chooses to enable it? Yes ADH is disabled. I want to make the settings for SSL simpler, not more complex. They're already too complex, and most people agree with this. If the RFC says not to use ADH, then I want to disable it entirely rather than have people email saying that they want to use ADH and want to know why we discourage/disallow it. I'd rather pretend we dont' have it at all. > There are many other unsafe NULL ciphers which we still allow the user to > select, I'm not sure I agree with completely disabling them. It is more > confusing that the user can still enable them in the config tool and find > that they still do not get used. Would it be better to add an "Allow unsafe > ciphers" tickbox to the config? No more config options is no option here. > I'll re-open the bug to remind you the two "EXP-ADH" ciphers should be > dealt with as well (even if you decide to ignore the rest of this comment.) Thanks, done and reclosed. Thank you once again for the great report and good catch. I honestly did check for *ADH* but for some reason I managed to miss it so I though that we only had ADH-* ciphers. Oops..