From 6ca8d0a42af5d8e29ebbb5a84e2e16ab5d18f48a Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Wed, 15 Aug 2018 17:00:41 -0400 Subject: [PATCH] Update SSL option/bug bits and related docs Sorted documented lists of supported values, and documented more extant values. Added: - ENABLE_MIDDLEBOX_COMPAT (as option to enable in the future, disabling the present default is not yet possible). - NO_RENEGOTIATION (some folks want this to guard against CPU exhaustion, we don't yet have rate limit support for this). - NO_SESSION_RESUMPTION_ON_RENEGOTIATION - PRIORITIZE_CHACHA - TLSEXT_PADDING (enable or disable) --- postfix/proto/TLS_README.html | 28 ++++++----------- postfix/proto/postconf.proto | 59 ++++++++++++++++++++++++----------- postfix/src/tls/tls_misc.c | 43 +++++++++++++++++++++++++ 3 files changed, 93 insertions(+), 37 deletions(-) diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html index cca0630d2..8bfcd339f 100644 --- a/postfix/proto/TLS_README.html +++ b/postfix/proto/TLS_README.html @@ -923,12 +923,13 @@ handshake procedures.

With Postfix 2.8 and later, the tls_disable_workarounds parameter -specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This -may be necessary if one of the work-arounds enabled by default in -OpenSSL proves to pose a security risk, or introduces an unexpected -interoperability issue. Some bug work-arounds known to be problematic -are disabled in the default value of the parameter when linked with -an OpenSSL library that could be vulnerable.

+specifies a list or bit-mask of default-enabled OpenSSL bug +work-arounds to disable. This may be necessary if one of the +work-arounds enabled by default in OpenSSL proves to pose a security +risk, or introduces an unexpected interoperability issue. The list +of enabled bug work-arounds is OpenSSL-release-specific. See the +tls_disable_workarounds parameter documentation for the list of +supported values.

Example:

@@ -946,19 +947,8 @@ more of the named options below, or a hexadecimal bitmask of options found in the ssl.h file corresponding to the run-time OpenSSL library. While it may be reasonable to turn off all bug workarounds (see above), it is not a good idea to attempt to turn on all features. -

- -
- -
LEGACY_SERVER_CONNECT
See SSL_CTX_set_options(3).
- -
NO_TICKET
See SSL_CTX_set_options(3).
- -
NO_COMPRESSION
Disable SSL compression even if -supported by the OpenSSL library. Compression is CPU-intensive, -and compression before encryption does not always improve security.
- -
+See the tls_ssl_options parameter documentation for the list of +supported values.

Example:

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index e4f19e4d2..a96056df2 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -14926,44 +14926,46 @@ you can only disable one of these via the hexadecimal syntax above.

-
MICROSOFT_SESS_ID_BUG
See SSL_CTX_set_options(3)
+
CRYPTOPRO_TLSEXT_BUG
New with GOST support in +OpenSSL 1.0.0.
-
NETSCAPE_CHALLENGE_BUG
See SSL_CTX_set_options(3)
+
DONT_INSERT_EMPTY_FRAGMENTS
See +SSL_CTX_set_options(3)
LEGACY_SERVER_CONNECT
See SSL_CTX_set_options(3)
-
NETSCAPE_REUSE_CIPHER_CHANGE_BUG
also aliased -as CVE-2010-4180. Postfix 2.8 disables this work-around by -default with OpenSSL versions that may predate the fix. Fixed in -OpenSSL 0.9.8q and OpenSSL 1.0.0c.
- -
SSLREF2_REUSE_CERT_TYPE_BUG
See -SSL_CTX_set_options(3)
-
MICROSOFT_BIG_SSLV3_BUFFER
See SSL_CTX_set_options(3)
+
MICROSOFT_SESS_ID_BUG
See SSL_CTX_set_options(3)
+
MSIE_SSLV2_RSA_PADDING
also aliased as CVE-2005-2969. Postfix 2.8 disables this work-around by default with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
+
NETSCAPE_CHALLENGE_BUG
See SSL_CTX_set_options(3)
+ +
NETSCAPE_REUSE_CIPHER_CHANGE_BUG
also aliased +as CVE-2010-4180. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.8q and OpenSSL 1.0.0c.
+
SSLEAY_080_CLIENT_DH_BUG
See SSL_CTX_set_options(3)
-
TLS_D5_BUG
See SSL_CTX_set_options(3)
+
SSLREF2_REUSE_CERT_TYPE_BUG
See +SSL_CTX_set_options(3)
TLS_BLOCK_PADDING_BUG
See SSL_CTX_set_options(3)
+
TLS_D5_BUG
See SSL_CTX_set_options(3)
+
TLS_ROLLBACK_BUG
See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6!
-
DONT_INSERT_EMPTY_FRAGMENTS
See -SSL_CTX_set_options(3)
- -
CRYPTOPRO_TLSEXT_BUG
New with GOST support in -OpenSSL 1.0.0.
+
TLSEXT_PADDING
Postfix ≥ 3.4. See SSL_CTX_set_options(3).
@@ -16043,18 +16045,39 @@ in its value are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). You can only enable options not already controlled by other Postfix settings. For example, you cannot disable protocols or enable server cipher preference. Do not attempt to turn all features by -specifying 0xFFFFFFFF, this is unlikely to be a good idea.

+specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some +bug work-arounds are also valid here, allowing them to be re-enabled +if/when they're no longer enabled by default. The supported values +include:

+
ENABLE_MIDDLEBOX_COMPAT
Postfix ≥ 3.4. See +SSL_CTX_set_options(3).
+
LEGACY_SERVER_CONNECT
See SSL_CTX_set_options(3).
-
NO_TICKET
See SSL_CTX_set_options(3).
+
NO_TICKET
Enabled by default when needed in +fully-patched Postfix ≥ 2.7. Not needed at all for Postfix ≥ +2.11, unless for some reason you do not want to support TLS session +resumption. Best not set explicitly. See SSL_CTX_set_options(3).
NO_COMPRESSION
Disable SSL compression even if supported by the OpenSSL library. Compression is CPU-intensive, and compression before encryption does not always improve security.
+
NO_RENEGOTIATION
Postfix ≥ 3.4. This can +reduce opportunities for a potential CPU exhaustion attack. See +SSL_CTX_set_options(3).
+ +
NO_SESSION_RESUMPTION_ON_RENEGOTIATION
Postfix +≥ 3.4. See SSL_CTX_set_options(3).
+ +
PRIORITIZE_CHACHA
Postfix ≥ 3.4. See SSL_CTX_set_options(3).
+ +
TLSEXT_PADDING
Postfix ≥ 3.4. See +SSL_CTX_set_options(3).
+

This feature is available in Postfix 2.11 and later.

diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index 00f71cc85..aebe2889c 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -355,6 +355,28 @@ static const LONG_NAME_MASK ssl_bug_tweaks[] = { #define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0 #endif NAMEBUG(CRYPTOPRO_TLSEXT_BUG), + +#ifndef SSL_OP_TLSEXT_PADDING +#define SSL_OP_TLSEXT_PADDING 0 +#endif + NAMEBUG(TLSEXT_PADDING), + +#if 0 + /* + * XXX: New with OpenSSL 1.1.1, this is turned on implicitly in SSL_CTX_new() + * and is not included in SSL_OP_ALL. Allowing users to disable this would + * thus a code change that would clearing bug work-around bits in SSL_CTX, + * after setting SSL_OP_ALL. Since this is presumably required for TLS 1.3 on + * today's Internet, the code change will be done separately later. For now + * this implicit bug work-around cannot be disabled via supported Postfix + * mechanisms. + */ +#ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT +#define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0 +#endif + NAMEBUG(ENABLE_MIDDLEBOX_COMPAT), +#endif + 0, 0, }; @@ -380,6 +402,27 @@ static const LONG_NAME_MASK ssl_op_tweaks[] = { #define SSL_OP_NO_COMPRESSION 0 #endif NAME_SSL_OP(NO_COMPRESSION), + +#ifndef SSL_OP_NO_RENEGOTIATION +#define SSL_OP_NO_RENEGOTIATION 0 +#endif + NAME_SSL_OP(NO_RENEGOTIATION), + +#ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 +#endif + NAME_SSL_OP(NO_SESSION_RESUMPTION_ON_RENEGOTIATION), + +#ifndef SSL_OP_PRIORITIZE_CHACHA +#define SSL_OP_PRIORITIZE_CHACHA 0 +#endif + NAME_SSL_OP(PRIORITIZE_CHACHA), + +#ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT +#define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0 +#endif + NAME_SSL_OP(ENABLE_MIDDLEBOX_COMPAT), + 0, 0, };