Allow to configure permissible TLS protocol versions

[oberstet]

Currently, the TLS protocol version to use is hard-coded to TLS v1.2 - and only that - here.

It's using twisted.internet.ssl.CertificateOptions.

It would be nice to allow users to configure a list of TLS protocol versions.

However, this depends on this Twisted issue being fixed.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[gregkeys]

+1

[oberstet]

I'll bump that to "bug level" as it affects users (stuff that did work now doesnt anymore)

[oberstet]

@hawkowl Any idea if/when Twisted would move forward rgd http://twistedmatrix.com/trac/ticket/6800?

If not, the stop gap solution for us would be to either default back to anything TLS >= 1.0 or to have a single (temporary?) switch where I can only chose between "TLS>=1.0" or "strictly TLS 1.2" ...

[hawkowl]

I can help move that ticket forward, just a matter of manpower :)
On 8 Apr 2016 21:33, Tobias Oberstein [email protected] wrote:@hawkowl Any idea if/when Twisted would move forward rgd http://twistedmatrix.com/trac/ticket/6800?

If not, the stop gap solution for us would be to either default back to anything TLS >= 1.0 or to have a single (temporary?) switch where I can only chose between "TLS>=1.0" or "strictly TLS 1.2" ...

—You are receiving this because you were mentioned.Reply to this email directly or view it on GitHub

[oberstet]

@hawkowl Yeah, as rock solid "security" is a top prio for CB, that would be awesome (means: we are sponsoring time for you to work on that).

However, as I am currently cleaning up issues, there are also a couple of remaining issues related to Python 3 / HTTP bridge / logging : https://github.com/crossbario/crossbar/issues?q=is%3Aopen+is%3Aissue+label%3Abug ;)

Some of these I would guess are not much work .. eg #604 - Last week (at that customer), I wanted to quickly hack together calling out (HTTP) from within PostgreSQL to CB'S REST bridge .. and ran into this.

I would love to "finish" our efforts rgd Py 3 and the new shiny logging (now that its in txaio, and most design/technical questions have been answered).

It's time for a "1.0" ..

[hawkowl]

Opened a PR for it in twisted/twisted#603...

[oberstet]

Great! So we can in turn let Crossbar.io users choose a specific set of TLS versions. Nice.

[oberstet]

FWIW, right now, I am leaning towards explicitly NOT allowing users to configure anything <TLS v1.2. Just to protect the innocent;)

And before someone complains: yeah, I am aware of old Java <7, Windows XP, Android <4.1 etc - all of that is broken shit that should die out immediately. TLS 1.2 was released 2008 .. nearly 10 years ago.

[waterbug]

TLS 1.1 still seems to be supported by default ... or am I missing something?
I'm running crossbar for my app at work and they tell me that scans show it supports TLS 1.1, so I checked crossbar running in my dev environment using nmap with the "ssl-enum-ciphers" option and it reports that TLSv1.1 and TLSv1.2 are both available ... is there a way to configure it to prohibit TLS 1.1?

[waterbug]

I see that the latest code in crossbar common/twisted/endpoint.py has
raiseMinimumTo=TLSVersion.TLSv1_1
... so it seems it would be a simple change to make that TLSv1_2 ...

[oberstet]

yeah, right! bumping to raiseMinimumTo=TLSVersion.TLSv1_3 makes sense.