From 07b46d226aa0ecb2deb7f4521ea03db7f53b129b Mon Sep 17 00:00:00 2001 From: Jordan Wright Date: Fri, 27 Mar 2020 22:25:18 -0500 Subject: [PATCH] Updated the TLS configuration. This commit removes support for the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA and TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ciphers. It also removes support for CurveP384. This is to match up with recommendations given by Cloudflare [0], Mozilla (the "Intermediate" compatibility) [1], and referencing the default ciphers in Caddy [2]. [0] https://blog.cloudflare.com/exposing-go-on-the-internet/ [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 [2] https://github.com/caddyserver/caddy/blob/008415f206dec7c72c3b0abe36d5a40213abb7a2/caddytls/config.go#L492 Here is the diff of running testssl against the old and new configurations: ``` git diff --no-index -- old.txt new.txt diff --git a/old.txt b/new.txt index fc624a1..53d0c97 100644 --- a/old.txt +++ b/new.txt @@ -13,11 +13,11 @@ docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.interna ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] - on 4831dc55e53f:$PWD/bin/openssl.Linux.x86_64 + on 41ae723da66a:$PWD/bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64") - Start 2020-03-28 02:54:41 -->> 192.168.65.2:3333 (host.docker.internal) <<-- + Start 2020-03-28 03:15:21 -->> 192.168.65.2:3333 (host.docker.internal) <<-- rDNS (192.168.65.2): -- Service detected: HTTP @@ -41,15 +41,14 @@ docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.interna Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered (OK) - Obsolete: SEED + 128+256 Bit CBC cipher offered + Obsolete: SEED + 128+256 Bit CBC cipher not offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 - PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA - Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 + PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 + Elliptic curves offered: prime256v1 X25519 Testing server preferences @@ -58,7 +57,7 @@ docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.interna Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) Cipher order - TLSv1.2: ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA + TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.3: TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384 @@ -125,7 +124,7 @@ docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.interna no RSA certificate, thus certificate can't be used with SSLv2 elsewhere LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK) - LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches + LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) @@ -136,50 +135,48 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - xc00a ECDHE-ECDSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - xc009 ECDHE-ECDSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches + LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) @@ -136,50 +135,48 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - xc00a ECDHE-ECDSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - xc009 ECDHE-ECDSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Running client simulations (HTTP) via sockets - Android 4.4.2 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) + Android 4.4.2 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 5.0.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Android 6.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - Android 7.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) - Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) + Android 7.0 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) + Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) - Chrome 65 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) + Chrome 65 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Chrome 74 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) - Firefox 62 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) + Firefox 62 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 No connection IE 8 XP No connection - IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) - Edge 17 (Win 10) TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) + IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) + IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) + IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) + IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) + Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) + Edge 17 (Win 10) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Opera 60 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) - Safari 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - Safari 9 OS X 10.11 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - Safari 10 OS X 10.12 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) + Safari 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) + Safari 9 OS X 10.11 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) + Safari 10 OS X 10.12 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 12.1 (iOS 12.2) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) - Apple ATS 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) + Apple ATS 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 6u45 No connection Java 7u25 No connection - Java 8u161 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) + Java 8u161 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256, 256 bit ECDH (P-256) - OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - OpenSSL 1.1.0j (Debian) TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) + OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) + OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) + OpenSSL 1.1.0j (Debian) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) OpenSSL 1.1.1b (Debian) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) Thunderbird (60.6) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) - Done 2020-03-28 02:57:48 [ 189s] -->> 192.168.65.2:3333 (host.docker.internal) <<-- + Done 2020-03-28 03:17:25 [ 128s] -->> 192.168.65.2:3333 (host.docker.internal) <<-- ``` Fixes #1698 --- controllers/phish.go | 5 +---- controllers/route.go | 25 ++++++++++++++++++++++--- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/controllers/phish.go b/controllers/phish.go index f83d9006..68701dda 100644 --- a/controllers/phish.go +++ b/controllers/phish.go @@ -3,7 +3,6 @@ package controllers import ( "compress/gzip" "context" - "crypto/tls" "errors" "fmt" "net" @@ -86,9 +85,7 @@ func WithContactAddress(addr string) PhishingServerOption { func (ps *PhishingServer) Start() { if ps.config.UseTLS { // Only support TLS 1.2 and above - ref #1691, #1689 - ps.server.TLSConfig = &tls.Config{ - MinVersion: tls.VersionTLS12, - } + ps.server.TLSConfig = defaultTLSConfig err := util.CheckAndCreateSSL(ps.config.CertPath, ps.config.KeyPath) if err != nil { log.Fatal(err) diff --git a/controllers/route.go b/controllers/route.go index 576e7dd3..b417b0ac 100644 --- a/controllers/route.go +++ b/controllers/route.go @@ -38,6 +38,27 @@ type AdminServer struct { config config.AdminServer } +var defaultTLSConfig = &tls.Config{ + PreferServerCipherSuites: true, + CurvePreferences: []tls.CurveID{ + tls.X25519, + tls.CurveP256, + }, + MinVersion: tls.VersionTLS12, + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + + // Kept for backwards compatibility with some clients + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + }, +} + // WithWorker is an option that sets the background worker. func WithWorker(w worker.Worker) AdminServerOption { return func(as *AdminServer) { @@ -72,9 +93,7 @@ func (as *AdminServer) Start() { } if as.config.UseTLS { // Only support TLS 1.2 and above - ref #1691, #1689 - as.server.TLSConfig = &tls.Config{ - MinVersion: tls.VersionTLS12, - } + as.server.TLSConfig = defaultTLSConfig err := util.CheckAndCreateSSL(as.config.CertPath, as.config.KeyPath) if err != nil { log.Fatal(err)