Disable SSLv3 and set cipher list for bozohttpd

To: tech-security%netbsd.org@localhost
Subject: Disable SSLv3 and set cipher list for bozohttpd
From: tr%vispaul.me@localhost
Date: Mon, 07 Dec 2015 22:07:12 -0500


Hi tech-security,

I noticed that bozohttpd doesn't disable SSLv3, and it doesn't
set a cipher list.  Making the changes below improved my Qualys
SSL Test[1] score from "C" to "A-".

I chose an intermediate compatibility cipher list as suggested by
Mozilla[2] and included it below. I'm sure that the patch below
needs some work (if its even usable as-is) but my main intention
was to start a discussion and find the best way to implement the
change if it makes sense.

Best,
Travis Paul

[1] https://www.ssllabs.com/ssltest/

[2]https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29


Index: ssl-bozo.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/ssl-bozo.c,v
retrieving revision 1.18
diff -u -r1.18 ssl-bozo.c
--- ssl-bozo.c  17 Jul 2014 06:27:52 -0000      1.18
+++ ssl-bozo.c  8 Dec 2015 02:16:13 -0000
@@ -48,6 +48,10 @@
 #define USE_ARG(x)     /*LINTED*/(void)&(x)
 #endif

+#ifndef BOZO_SSL_CIPHERS

+#define BOZO_SSL_CIPHERS"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

+#endif
+
 /* this structure encapsulates the ssl info */
 typedef struct sslinfo_t {
        SSL_CTX                 *ssl_context;
@@ -196,6 +200,12 @@
        sslinfo->ssl_method = SSLv23_server_method();
        sslinfo->ssl_context = SSL_CTX_new(sslinfo->ssl_method);

+       SSL_CTX_set_options(sslinfo->ssl_context, SSL_OP_NO_SSLv3);
+

+ if (!SSL_CTX_set_cipher_list(sslinfo->ssl_context,BOZO_SSL_CIPHERS))

+               bozo_ssl_err(httpd, EXIT_FAILURE,
+                   "error setting cipher lis");
+
        if (NULL == sslinfo->ssl_context)
                bozo_ssl_err(httpd, EXIT_FAILURE,
                    "SSL context creation failed");

Follow-Ups:
- Re: Disable SSLv3 and set cipher list for bozohttpd
  - From: Joerg Sonnenberger
- Re: Disable SSLv3 and set cipher list for bozohttpd
  - From: Christos Zoulas

Prev by Date: NetBSD Security Advisory 2015-009: TCP LAST_ACK state memory exhaustion
Next by Date: Re: Disable SSLv3 and set cipher list for bozohttpd
Previous by Thread: NetBSD Security Advisory 2015-009: TCP LAST_ACK state memory exhaustion
Next by Thread: Re: Disable SSLv3 and set cipher list for bozohttpd
Indexes:

Home | Main Index | Thread Index | Old Index