Cherokee Ignores SSL/TLS Protocols Supported by OpenSSL #1255
Assignees
Labels
Comments
|
@rakuco you can choose which ciphers and protocols are supported at runtime. Is you statement here that it should not show the other options iff OpenSSL does not support them? I consider not supporting TLS 1.3 a separate issue.
|
rdratlos
pushed a commit
to rdratlos/cherokee-webserver
that referenced
this issue
Apr 3, 2021
SSL/TLS protocols are hardcoded in Cherokee. Neither at build time nor at run-
time SSL/TLS protocols that are supported by the OpenSSL back-end are being
checked. This may lead to the dangerous situation that OpenSSL encrypts HTTPS
traffic using an SSL/TLS encryption, which is not explicitly supported by
Cherokee. Current Cherokee for example does not support TLS protocol version
1.3, which requires ciphersuites for encryption that cannot be configured by
Cherokee.
More and more OS distribution maintainers now control security of their OpenSSL
packages by deactivating unsafe SSL/TLS protocols at build time. For system
administrators it is very difficult to identify the root cause for rejected
HTTPS communication requests due to suddenly unavailable SSL/TLS protocols.
OpenSSL provides only pretty cryptic notifications.
This patch implements following improvements:
- Check SSL/TLS protocols supported by OpenSSL at build time
- configure Displays and logs supported protocols
- Abort build with error message if unsupported protocols are detected
- Check SSL/TLS protocols supported by the actual OpenSSL back-end at runtime
- Log an error message if unsupported protocols are detected
- Command-line option -i provides more detailed information about OpenSSL
+ Build version and actually used version
+ Supported SSL/TLS protocols
+ Maintainer deactivated protocols
- Make SSL/TLS protocol information available to Cherokee Admin scripts
- Fix Cherokee Admin Advanced page to outline support of SSL/TLS protocols:
+ Mark deactivated protocols
+ Warn users if SSL/TLS protocols are detected that are not supported by
Cherokee
+ Inform users if OpenSSL/libssl is not supported at all
Fixes: cherokee#1255
Signed-off-by: Thomas Reim <reimth@gmail.com>
|
The following screenshots show the "new" configuration screens for SSL/TLS protocols, ciphers and ciphersuites:
|
|
And here is another one for system administrators that still have to operate Cherokee webserver using legacy OpenSSL version 0.9.8:
|
|
With above fix cherokee -i now correctly reports actual availability of SSL/TLS protocols: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SSL/TLS protocols are hardcoded in Cherokee. Neither at build time nor at run-time SSL/TLS protocols that are supported by the OpenSSL back-end are being checked. This may lead to the dangerous situation that OpenSSL encrypts HTTPS traffic using an SSL/TLS encryption, which is not explicitly supported by Cherokee. Current Cherokee for example does not support TLS protocol version 1.3, which requires ciphersuites for encryption that cannot be configured by Cherokee.
More and more OS distribution maintainers now control security of their OpenSSL packages by deactivating unsafe SSL/TLS protocols at build time. For system administrators it is very difficult to identify the root cause for rejected HTTPS communication requests due to suddenly unavailable SSL/TLS protocols. OpenSSL provides only pretty cryptic notifications.
The text was updated successfully, but these errors were encountered: