You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2012/12/21 16:37:12 UTC
SSL compression / bug 54324
All,
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
The enhancement request (marked MAJOR) is to allow the APR connector to
configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression
even when it is supported by the client. This prevents CRIME attacks.
My question is whether we want to disable compression by default or
leave compression enabled when supported (which is the current default).
Since this is security-related, my preference is to disable SSL
compression /by default/ and allow users to specifically enable it if
necessary. But, this represents a change in default so I figured I'd ask.
Any comments?
Thanks,
-chris
Re: SSL compression / bug 54324
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
On 12/21/12 10:37 AM, Christopher Schultz wrote:
> Since this is security-related, my preference is to disable SSL
> compression /by default/ and allow users to specifically enable it if
> necessary. But, this represents a change in default so I figured I'd ask.
One more note which reverses my original position: if compression is
explicitly requested to be disabled and it can /not/ be disabled, I
think we should fail-safe and throw an exception -- thereby failing to
start the connector.
There is a similar security-related option, SSLInsecureRenegotiation,
that does *not* fail-safe: if you request disabling insecure
renegotiation and that option is not supported by OpenSSL, you get a
warning message in the log but the connector starts up nonetheless.
-chris
Re: SSL compression / bug 54324
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Konstantin,
On 1/21/13 4:25 AM, Konstantin Kolinko wrote:
> 2012/12/22 Rainer Jung <ra...@kippdata.de>:
>> On 21.12.2012 16:37, Christopher Schultz wrote:
>>> All,
>>>
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
>>>
>>> The enhancement request (marked MAJOR) is to allow the APR connector to
>>> configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression
>>> even when it is supported by the client. This prevents CRIME attacks.
>>>
>>> My question is whether we want to disable compression by default or
>>> leave compression enabled when supported (which is the current default).
>>>
>>> Since this is security-related, my preference is to disable SSL
>>> compression /by default/ and allow users to specifically enable it if
>>> necessary. But, this represents a change in default so I figured I'd ask.
>>>
>>> Any comments?
>>
>> The web server in the current branch had SSL compression set to on by
>> default until the latest release (2.4.3), if OpenSSL supported it. The
>> next release 2.4.4 will have it disabled by default for the same
>> reasons. Considering the current state of affairs I'm comfortable
>> switching the defaults here.
>>
>
> Reviewing the commit for this issue,
> http://svn.apache.org/viewvc?view=revision&revision=1434887
>
> First, my preference here would be to disable compression by default,
> for security reasons.
Okay. I didn't get any resounding response to my question, so I decided
to leave disabled-compression as NOT the default. It's an easy patch to
my commit to change the behavior.
> Second, with the current implementation there is no way to enable
> compression if the default in OpenSSL for it is "disabled". It is
> actually due to a lack of API in Tomcat-Native.
>
> In OpenSSL there are methods to set and to clear a flag [1]:
> (1) SSL_CTX_set_options(...)
> (2) SSL_CTX_clear_options(..)
>
> [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
>
> In Tomcat-Native only the "set" method is exposed by SSLContext, but
> there is no API for the "clear" method. To disable compression we call
> SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_COMPRESSION);
I'm not sure you can disable compression by default but also allow it to
be re-enabled. Permanently disabling compression is done at compile-time
and cannot be re-enabled at runtime.
I've been reading the API docs (which are horrendous... Javadoc was such
a brilliant idea) and I can't seem to find anything about the default
options that are set at compile-time -- other than at least
SSL_OP_LEGACY_SERVER_CONNECT is set as a default option. The only thing
I can think of is that SSL_OP_ALL includes SSL_OP_LEGACY_SERVER_CONNECT
so that's what they mean by "default". tcnative sets SSL_OP_ALL upon
initialization, so anything in there you want to disable is not possible
through Tomcat.
It probably does make sense to add a clearOptions method to sslcontext.c
and the Java wrapper. I'll do that now.
> Well, this matters only if OpenSSL uses "no compression" as the default.
> I see that it was considered in October 2012 [2], but I do not know
> what the current state is -- there were no releases since May 2012 and
> no such change is mentioned in the current changelog [3].
Fair enough: allowing the clearing of options in the native code will at
least make this possible on shorter notice.
> Third, Christopher's question on the current state of JSSE support is
> still unanswered
> http://tomcat.markmail.org/thread/qzd7czphbpz3ox2c
Yup: I'd be grateful if anyone with any JSSE knowledge could give me a hand.
-chris
Re: SSL compression / bug 54324
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/12/22 Rainer Jung <ra...@kippdata.de>:
> On 21.12.2012 16:37, Christopher Schultz wrote:
>> All,
>>
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
>>
>> The enhancement request (marked MAJOR) is to allow the APR connector to
>> configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression
>> even when it is supported by the client. This prevents CRIME attacks.
>>
>> My question is whether we want to disable compression by default or
>> leave compression enabled when supported (which is the current default).
>>
>> Since this is security-related, my preference is to disable SSL
>> compression /by default/ and allow users to specifically enable it if
>> necessary. But, this represents a change in default so I figured I'd ask.
>>
>> Any comments?
>
> The web server in the current branch had SSL compression set to on by
> default until the latest release (2.4.3), if OpenSSL supported it. The
> next release 2.4.4 will have it disabled by default for the same
> reasons. Considering the current state of affairs I'm comfortable
> switching the defaults here.
>
Reviewing the commit for this issue,
http://svn.apache.org/viewvc?view=revision&revision=1434887
First, my preference here would be to disable compression by default,
for security reasons.
Second, with the current implementation there is no way to enable
compression if the default in OpenSSL for it is "disabled". It is
actually due to a lack of API in Tomcat-Native.
In OpenSSL there are methods to set and to clear a flag [1]:
(1) SSL_CTX_set_options(...)
(2) SSL_CTX_clear_options(..)
[1] http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
In Tomcat-Native only the "set" method is exposed by SSLContext, but
there is no API for the "clear" method. To disable compression we call
SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_COMPRESSION);
Well, this matters only if OpenSSL uses "no compression" as the default.
I see that it was considered in October 2012 [2], but I do not know
what the current state is -- there were no releases since May 2012 and
no such change is mentioned in the current changelog [3].
[2] Thread "OpenSSL and CRIME" at openssl-dev from October 2012,
http://openssl.6102.n7.nabble.com/OpenSSL-and-CRIME-td36961.html
[3] http://openssl.org/news/changelog.html
Third, Christopher's question on the current state of JSSE support is
still unanswered
http://tomcat.markmail.org/thread/qzd7czphbpz3ox2c
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL compression / bug 54324
Posted by Rainer Jung <ra...@kippdata.de>.
On 21.12.2012 16:37, Christopher Schultz wrote:
> All,
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
>
> The enhancement request (marked MAJOR) is to allow the APR connector to
> configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression
> even when it is supported by the client. This prevents CRIME attacks.
>
> My question is whether we want to disable compression by default or
> leave compression enabled when supported (which is the current default).
>
> Since this is security-related, my preference is to disable SSL
> compression /by default/ and allow users to specifically enable it if
> necessary. But, this represents a change in default so I figured I'd ask.
>
> Any comments?
The web server in the current branch had SSL compression set to on by
default until the latest release (2.4.3), if OpenSSL supported it. The
next release 2.4.4 will have it disabled by default for the same
reasons. Considering the current state of affairs I'm comfortable
switching the defaults here.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org