Disabling all pre-TLS-1.3 ciphers

Jordan Brown openssl at jordan.maileater.net
Wed Jan 10 00:08:28 UTC 2024 

I have a product that lets the customer select what TLS versions to
allow, and what TLS ciphers to allow.  (Of course, most of the time they
shouldn't mess with these settings, but sometimes the evolution of the
algorithm landscape requires it.)

So, simulating API calls from the command line, it's kind of sensible
that it's a problem if I disable all pre-1.3 ciphers while allowing all
protocol versions:

    $ /usr/openssl/3/bin/openssl s_server -cert foo.pem -key foo.key -cipher ''
    Call to SSL_CONF_cmd(-cipher, ) failed
    01000000:error:0A0000B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:
    ../../openssl-3.0.12/ssl/ssl_lib.c:2760:

That configuration is a problem because pre-1.3 versions are enabled,
but have no available ciphers.  Rejecting it seems reasonable.

Now let's restrict it to 1.3:

    $ /usr/openssl/3/bin/openssl s_server -cert foo.pem -key foo.key -tls1_3 -cipher ''
    Call to SSL_CONF_cmd(-cipher, ) failed
    01000000:error:0A0000B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:
    ../../openssl-3.0.12/ssl/ssl_lib.c:2760:

It's still rejected, but for no good reason:  there are no pre-1.3
ciphers available, but there are no pre-1.3 versions available either.

It seems that, paradoxically, I must always enable at least one pre-1.3
cipher, even if I only enable 1.3.

On the other hand, but less annoying in some ways, it appears that it's
perfectly OK to require TLS 1.3 but disable all TLS 1.3 ciphers:

    $ /usr/openssl/3/bin/openssl s_server -cert foo.pem -key foo.key -tls1_3 -ciphersuites ''
    Using default temp DH parameters
    ACCEPT

Presumably in this configuration no connection would ever succeed.

On the third hand, it's OK to require TLS 1.1 but enable only a TLS 1.2
cipher:

     $ /usr/openssl/3/bin/openssl s_server -cert foo.pem -key foo.key -tls1_1 -cipher AES128-SHA256
    Using default temp DH parameters
    ACCEPT

It seems to me that the first (that you can't disable all pre-1.3
ciphers, even when you disable all pre-1.3 versions) is a bug.  The
configuration is entirely sensible, but rejected.  The second is
arguably a bug, that a nonsensical configuration *isn't* rejected, but
that seems like a less serious error.  The third is also arguably a bug
on similar grounds.

The workaround would seem to be to always enable at least one pre-1.3
cipher (perhaps by leaving the default alone), even when pre-1.3
versions are all disabled.

I think the checks should be fixed to accept all sensible
configurations, and optionally to reject all nonsensical configurations.

(Note again that while I am demonstrating using the CLI, I expect that
the library behaves the same.)

Any thoughts?

-- 
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240110/77b0a8dd/attachment.htm>

More information about the openssl-users mailing list