Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for TLS 1.3 #46

Open
MaxXor opened this issue Sep 22, 2019 · 13 comments
Open

Support for TLS 1.3 #46

MaxXor opened this issue Sep 22, 2019 · 13 comments

Comments

@MaxXor
Copy link

MaxXor commented Sep 22, 2019

Hi, thanks a lot for your work. It would be nice if cryptcheck could support TLS 1.3.

@aeris
Copy link
Owner

aeris commented Sep 22, 2019

Hello!

It's currently not possible. I'm tied to OpenSSL 1.0.x to support old/deprecated ciphers like SSLv2 or RC4, but 1.2.x is required for TLSv1.3 which remove all deprecated world support with no way to reactivate it at build time. And there is no simple way to use 2 differents OpenSSL binding on the same ruby setup (OpenSSL support is built-in in Ruby core extension…).

I currently working on a pure ruby SSL/TLS stack to support both of the oldest and newest ciphers. But it's quite a long job to fully reimplement TLS 🤣

HLFH added a commit to HLFH/cryptcheck that referenced this issue Apr 9, 2020
Needs to be updated as seen here: https://www.openssl.org/source/
And because `cryptcheck` requires `openssl 1.0.x` as seen here: aeris#46 (comment)
aeris pushed a commit that referenced this issue Apr 13, 2020
Needs to be updated as seen here: https://www.openssl.org/source/
And because `cryptcheck` requires `openssl 1.0.x` as seen here: #46 (comment)
@HLFH
Copy link
Contributor

HLFH commented Nov 23, 2022

@aeris Hello! Are you still working on cryptcheck-engine? It does not have usage instructions in the README.

@aeris
Copy link
Owner

aeris commented Nov 23, 2022

o/ here.
Currently no more time to develop this part. It's not usable at all at the moment, not a single handshake is possible (close, but not done :D).
I hope to be able to have free time to work on it soon !

@stephenhodgkiss
Copy link

stephenhodgkiss commented Nov 30, 2022

@aeris - Have you looked any further into expanding the cypher's for TLSv1.3 ?

Reason I am asking is because after implementing SSL configs under Apache and checking with SSL Labs, I am getting an A+ grade with them. However, your site is only giving an E grade, If you need more specifics, please ask.

@aeris
Copy link
Owner

aeris commented Nov 30, 2022

Have you looked any further into expanding the cypher's for TLSv1.3 ?

Currently it's not at all possible. Supporting SSL and other broken TLS cipher supposed OpenSSL 1.0 or lower and TLSv1.3 OpenSSL 1.1 or better.
It needs a huge rework to achieve that and currently I have not enough time for that.
2 ways are possible :

  • splitting workers to check on 2 differents ruby stack using 2 differents OpenSSL binding. Some work already done but merging 2 results in one is not that easy
  • implementing a full compat pure ruby TLS engine. Currently in progress but it's a hard and long way, but the cleanest

Reason I am asking is because after implementing SSL configs under Apache and checking with SSL Labs, I am getting an A+ grade with them. However, your site is only giving an E grade, If you need more specifics, please ask.

I bet this E is not TLSv1.3 related but something else. You could check on the .json API to display many more information that the ones available on the .html page.

@stephenhodgkiss
Copy link

stephenhodgkiss commented Dec 1, 2022

Ok thank you for your quick reply. Regarding checking the .json API I can't do that, as I have not integrated your code myself; it has been implemented by SEARXNG and is now giving unreliable TLS grades.

You can see many users have their own instances here https://searx.space/

An example instance is search.trom.tf where the TLS grade has only an E but SSL Labs is reporting back an A+

@aeris
Copy link
Owner

aeris commented Dec 1, 2022

With .json API, i mean checking manually what check give the E scoring 😊
For example going here give you many more details than the ones available on the HTML page. In this case the grade is capped to E because presence of DHE negociation and so downgrade attack possible like this one.
Currently DHE support is dropped from every decent browser and it presence server side is now just a useless weak point of attack.

@stephenhodgkiss
Copy link

Thanks. I checked my particular URL and it returns: -

{"dh":false,"pfs":false,"rsa":false,"tlsv1_0":false,"tlsv1_1":false},"great":{"hsts":true},"warning":{"dhe":true,"hsts":false,"sha1":true},"critical":{"dh":false,"des":false,"dss":false,"md5":false,"rc4":false,"rsa":false,"null":false,"sslv2":false,"sslv3":false,"export":false,"sweet32":false,"md2_sign":false,"md4_sign":false,"md5_sign":false,"sha_sign":false,"anonymous":false,"mdc2_sign":false,"sha1_sign":false}}

@aeris
Copy link
Owner

aeris commented Dec 1, 2022

So the same, support for DHE & SHA1 cipher suite.

@stephenhodgkiss
Copy link

stephenhodgkiss commented Dec 1, 2022

My Apache2 SSL config now has:

SSLCipherSuite !DH:EECDH+AESGCM:EDH+AESGCM:AES256+EDH

This has resulted in A+ grades at your site and also SSL Labs. Thanks for your help, appreciated.

@aeris
Copy link
Owner

aeris commented Dec 1, 2022

I advice you a simple cipher suite : EECDH+CHACHA20:EECDH+AES:!AESCCM8:!SHA1
You got support for CHACHA20 and CCM cipher and remove sweet32 vulnerable CCM8 (currently not correctly reported in CryptCheck).
Just for information, ! negative cipher suite selector is bugged as fuck and should be avoided as far as possible, check the real effect of your selector with openssl ciphers :)

@Gunni
Copy link

Gunni commented Jun 5, 2024

How about dropping support for old stuff and adding it for tls 1.3, just label any support for old stuff as a fail 😁

@aeris
Copy link
Owner

aeris commented Jun 5, 2024

Because dropping support for old stuff is also not being able to detect it 🤣

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants