[openssl-dev] [openssl.org #3616] [Patch] Implement option to disable sending TLS extensions
Hubert Kario
hkario at redhat.com
Tue Jan 27 11:33:21 UTC 2015
On Monday 26 January 2015 10:03:30 Brian Smith wrote:
> Hubert Kario <hkario at redhat.com> wrote:
> > Actually it does not introduce it as OpenSSL does send the notification as
> > TLS_EMPTY_RENEGOTIATION_INFO_SCSV, not the extension.
> >
> > On Sunday 30 November 2014 20:36:20 Richard Moore wrote:
> >> That would introduce security issues such as the TLS renegotiation flaw.
> >> Surely a better solution is to make servers that pretend to support TLS
> >> but
> >> actually only support SSL3 die a horrible death?
>
> I agree with Richard that this seems . In particular, the session hash
> / extended master secret [1] specification requires an extension to
> work securely.
which is not used by openssl by default...
> Not having the SNI extension is likely to cause
> security issues (using a different and perhaps though-of-as-unused
> certificate).
SNI needs to be set manually on a connection, many openssl consumers still
don't do it... and if you don't verify server certificate no amount of
extensions will help you
> Many servers use the values in the signature_algorithms
> extension to determine whether to use a SHA-2 or SHA-1 certificate,
Interesting, haven't seen such ones. Can you give examples?
Still, how can you test if the server does the sane thing if the client
doesn't provide signature_algorithms if you have such a server?
> so
> not sending signature_algorithms is likely to cause problems for any
> client that disables support for SHA-1 certificates.
exactly what every piece of documentation surrounding this option says
> Resolving these TLS (extension) intolerance issues requires collective
> action, and it would be great if OpenSSL could do its part by not
> adding features like this that exist purely to avoid participating in
> the collective action, especially when the added feature disables
> other important security features.
It's implemented not so that you can interoperate with them, I implemented it
so that you can detect *if* this is the reason why you can't interoperate with
them. Unfortunately it's rather hard to test interoperability without actually
being interoperable...
There are broken clients and there are broken servers and there are broken
middle boxes out there. The library already has stuff like
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which is *really* dangerous.
SSL_OP_NO_TLSEXT is less of an issue than export grade ciphers.
SSL_OP_NO_TLSEXT is the default mode of operation for 0.9.8, and I think we
can agree that while 0.9.8 is old it's still secure.
--
Regards,
Hubert Kario
More information about the openssl-dev
mailing list