www.cendio.com
Bug 5306 - consider disabling SSL3 in tlstunnel
: consider disabling SSL3 in tlstunnel
Status: CLOSED FIXED
: ThinLinc
Misc
: pre-1.0
: PC Unknown
: P2 Normal
: 4.4.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2014-10-15 10:18 by
Modified: 2015-03-20 10:30 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2014-10-15 10:18:12
There is a new MITM attack on SSL3 out called POODLE. This is a design flaw in
SSL3 and there doesn't seem to be a way to work around it. So the general
recommendation is to start disabling SSL3 everywhere.

Browsers have already started disabling SSL3 on their end so it's probably not
a major cause for alarm for ThinLinc users. The main attack vector also seems
to be to steal cookies, which we do not use. Still, better safe than sorry and
we should prevent users from accidentally using an insecure protocol.

We need to double check that we don't lock out any significant browsers by
doing this. Other than that it should just be a matter of changing the GnuTLS
configuration.

OpenSSL's brief on the issue:

https://www.openssl.org/~bodo/ssl-poodle.pdf
------- Comment #2 From cendio 2014-11-27 12:40:23 -------
Time est. includes a stab at letting the admin configure their preferred
ciphers.
------- Comment #3 From cendio 2014-12-18 13:56:40 -------
Committed in revisions 29745, 29746, 29747, 29748, 29749, 29750, 29751.

Tester should...

 - make sure that SSLv3 is disabled in tlstunnel with the
   standard configuration files.

 - make sure that tlstunnel honors the priority string given in
   the configuration files, for example by removing support for
   even newer algorithms.

 - make sure that tlstunnel handles invalid priority strings in
   a graceful way rather than crashing.

 - proof-read the documentation.
------- Comment #4 From cendio 2015-03-02 13:42:06 -------
Making the docs now spews a lot of gunk out on your console whilst it is
generating gnutls-priorities.xml.
------- Comment #5 From cendio 2015-03-02 14:09:29 -------
(In reply to comment #4)
> Making the docs now spews a lot of gunk out on your console whilst it is
> generating gnutls-priorities.xml.

r30076.
------- Comment #6 From cendio 2015-03-12 10:47:57 -------
Documentation looks good...
------- Comment #7 From cendio 2015-03-13 10:11:48 -------
Verifed with a client setting priority string:

NORMAL:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0

which forces the use of SSLV3.0...

A new installation of nightly build prevents a connection against tlwebaccess
and tlwebadm while connecting using the same string against 4.3.0 succeeds.