OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -4937,11 +4937,13 @@ determines the derivation of the tunnel session keys. |
4937 | 4937 |
.\"********************************************************* |
4938 | 4938 |
.TP |
4939 | 4939 |
.B \-\-tls\-cipher l |
4940 |
+.TQ |
|
4941 |
+.B \-\-tls\-ciphersuites l |
|
4940 | 4942 |
A list |
4941 | 4943 |
.B l |
4942 | 4944 |
of allowable TLS ciphers delimited by a colon (":"). |
4943 | 4945 |
|
4944 |
-This setting can be used to ensure that certain cipher suites are used (or |
|
4946 |
+These setting can be used to ensure that certain cipher suites are used (or |
|
4945 | 4947 |
not used) for the TLS connection. OpenVPN uses TLS to secure the control |
4946 | 4948 |
channel, over which the keys that are used to protect the actual VPN traffic |
4947 | 4949 |
are exchanged. |
... | ... |
@@ -4950,20 +4952,32 @@ The supplied list of ciphers is (after potential OpenSSL/IANA name translation) |
4950 | 4950 |
simply supplied to the crypto library. Please see the OpenSSL and/or mbed TLS |
4951 | 4951 |
documentation for details on the cipher list interpretation. |
4952 | 4952 |
|
4953 |
+For OpenSSL, the |
|
4954 |
+.B \-\-tls-cipher |
|
4955 |
+is used for TLS 1.2 and below. For TLS 1.3 and up, the |
|
4956 |
+.B \-\-tls\-ciphersuites |
|
4957 |
+setting is used. mbed TLS has no TLS 1.3 support yet and only the |
|
4958 |
+.B \-\-tls-cipher |
|
4959 |
+setting is used. |
|
4960 |
+ |
|
4953 | 4961 |
Use |
4954 | 4962 |
.B \-\-show\-tls |
4955 | 4963 |
to see a list of TLS ciphers supported by your crypto library. |
4956 | 4964 |
|
4957 | 4965 |
Warning! |
4958 | 4966 |
.B \-\-tls\-cipher |
4959 |
-is an expert feature, which \- if used correcly \- can improve the security of |
|
4960 |
-your VPN connection. But it is also easy to unwittingly use it to carefully |
|
4967 |
+and |
|
4968 |
+.B \-\-tls\-ciphersuites |
|
4969 |
+are expert features, which \- if used correcly \- can improve the security of |
|
4970 |
+your VPN connection. But it is also easy to unwittingly use them to carefully |
|
4961 | 4971 |
align a gun with your foot, or just break your connection. Use with care! |
4962 | 4972 |
|
4963 | 4973 |
The default for \-\-tls\-cipher is to use mbed TLS's default cipher list |
4964 | 4974 |
when using mbed TLS or |
4965 | 4975 |
"DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using |
4966 | 4976 |
OpenSSL. |
4977 |
+ |
|
4978 |
+The default for \-\-tls\-ciphersuites is to use the crypto library's default. |
|
4967 | 4979 |
.\"********************************************************* |
4968 | 4980 |
.TP |
4969 | 4981 |
.B \-\-tls\-cert\-profile profile |
... | ... |
@@ -1760,6 +1760,7 @@ show_settings(const struct options *o) |
1760 | 1760 |
SHOW_STR(cryptoapi_cert); |
1761 | 1761 |
#endif |
1762 | 1762 |
SHOW_STR(cipher_list); |
1763 |
+ SHOW_STR(cipher_list_tls13); |
|
1763 | 1764 |
SHOW_STR(tls_cert_profile); |
1764 | 1765 |
SHOW_STR(tls_verify); |
1765 | 1766 |
SHOW_STR(tls_export_cert); |
... | ... |
@@ -2750,6 +2751,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec |
2750 | 2750 |
MUST_BE_UNDEF(pkcs12_file); |
2751 | 2751 |
#endif |
2752 | 2752 |
MUST_BE_UNDEF(cipher_list); |
2753 |
+ MUST_BE_UNDEF(cipher_list_tls13); |
|
2753 | 2754 |
MUST_BE_UNDEF(tls_cert_profile); |
2754 | 2755 |
MUST_BE_UNDEF(tls_verify); |
2755 | 2756 |
MUST_BE_UNDEF(tls_export_cert); |
... | ... |
@@ -7872,6 +7874,11 @@ add_option(struct options *options, |
7872 | 7872 |
VERIFY_PERMISSION(OPT_P_GENERAL); |
7873 | 7873 |
options->tls_cert_profile = p[1]; |
7874 | 7874 |
} |
7875 |
+ else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2]) |
|
7876 |
+ { |
|
7877 |
+ VERIFY_PERMISSION(OPT_P_GENERAL); |
|
7878 |
+ options->cipher_list_tls13 = p[1]; |
|
7879 |
+ } |
|
7875 | 7880 |
else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) |
7876 | 7881 |
|| (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) |
7877 | 7882 |
{ |
... | ... |
@@ -618,9 +618,10 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) |
618 | 618 |
tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile); |
619 | 619 |
|
620 | 620 |
/* Allowable ciphers */ |
621 |
- /* Since @SECLEVEL also influces loading of certificates, set the |
|
621 |
+ /* Since @SECLEVEL also influences loading of certificates, set the |
|
622 | 622 |
* cipher restrictions before loading certificates */ |
623 | 623 |
tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); |
624 |
+ tls_ctx_restrict_ciphers_tls13(new_ctx, options->cipher_list_tls13); |
|
624 | 625 |
|
625 | 626 |
if (!tls_ctx_set_options(new_ctx, options->ssl_flags)) |
626 | 627 |
{ |
... | ... |
@@ -169,7 +169,8 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx); |
169 | 169 |
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags); |
170 | 170 |
|
171 | 171 |
/** |
172 |
- * Restrict the list of ciphers that can be used within the TLS context. |
|
172 |
+ * Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 |
|
173 |
+ * and below |
|
173 | 174 |
* |
174 | 175 |
* @param ctx TLS context to restrict, must be valid. |
175 | 176 |
* @param ciphers String containing : delimited cipher names, or NULL to use |
... | ... |
@@ -178,6 +179,16 @@ bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags); |
178 | 178 |
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); |
179 | 179 |
|
180 | 180 |
/** |
181 |
+ * Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 |
|
182 |
+ * and higher |
|
183 |
+ * |
|
184 |
+ * @param ctx TLS context to restrict, must be valid. |
|
185 |
+ * @param ciphers String containing : delimited cipher names, or NULL to use |
|
186 |
+ * sane defaults. |
|
187 |
+ */ |
|
188 |
+void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers); |
|
189 |
+ |
|
190 |
+/** |
|
181 | 191 |
* Set the TLS certificate profile. The profile defines which crypto |
182 | 192 |
* algorithms may be used in the supplied certificate. |
183 | 193 |
* |
... | ... |
@@ -223,6 +223,19 @@ tls_translate_cipher_name(const char *cipher_name) |
223 | 223 |
} |
224 | 224 |
|
225 | 225 |
void |
226 |
+tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) |
|
227 |
+{ |
|
228 |
+ if (ciphers == NULL) |
|
229 |
+ { |
|
230 |
+ /* Nothing to do, return without warning message */ |
|
231 |
+ return; |
|
232 |
+ } |
|
233 |
+ |
|
234 |
+ msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. " |
|
235 |
+ "Ignoring TLS 1.3 cipher list: %s", ciphers); |
|
236 |
+} |
|
237 |
+ |
|
238 |
+void |
|
226 | 239 |
tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
227 | 240 |
{ |
228 | 241 |
char *tmp_ciphers, *tmp_ciphers_orig, *token; |
... | ... |
@@ -391,6 +391,7 @@ convert_tls_list_to_openssl(char* openssl_ciphers, size_t len,const char *cipher |
391 | 391 |
openssl_ciphers[openssl_ciphers_len-1] = '\0'; |
392 | 392 |
} |
393 | 393 |
} |
394 |
+ |
|
394 | 395 |
void |
395 | 396 |
tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
396 | 397 |
{ |
... | ... |
@@ -427,6 +428,61 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
427 | 427 |
} |
428 | 428 |
|
429 | 429 |
void |
430 |
+convert_tls13_list_to_openssl(char* openssl_ciphers, size_t len, const char *ciphers) |
|
431 |
+{ |
|
432 |
+ /* |
|
433 |
+ * OpenSSL (and official IANA) cipher names have _ in them. We |
|
434 |
+ * historically used names with - in them. Silently convert names |
|
435 |
+ * with - to names with _ to support both |
|
436 |
+ */ |
|
437 |
+ if (strlen(ciphers) >= (len - 1)) |
|
438 |
+ { |
|
439 |
+ msg(M_FATAL, |
|
440 |
+ "Failed to set restricted TLS 1.3 cipher list, too long (>%d).", |
|
441 |
+ (int) (len - 1)); |
|
442 |
+ } |
|
443 |
+ |
|
444 |
+ strncpy(openssl_ciphers, ciphers, len); |
|
445 |
+ |
|
446 |
+ for (size_t i = 0; i < strlen(openssl_ciphers); i++) |
|
447 |
+ { |
|
448 |
+ if (openssl_ciphers[i] == '-') |
|
449 |
+ { |
|
450 |
+ openssl_ciphers[i] = '_'; |
|
451 |
+ } |
|
452 |
+ } |
|
453 |
+} |
|
454 |
+ |
|
455 |
+void |
|
456 |
+tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) |
|
457 |
+{ |
|
458 |
+ if (ciphers == NULL) |
|
459 |
+ { |
|
460 |
+ /* default cipher list of OpenSSL 1.1.1 is sane, do not set own |
|
461 |
+ * default as we do with tls-cipher */ |
|
462 |
+ return; |
|
463 |
+ } |
|
464 |
+ |
|
465 |
+#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) |
|
466 |
+ crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " |
|
467 |
+ "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", |
|
468 |
+ ciphers); |
|
469 |
+#else |
|
470 |
+ ASSERT(NULL != ctx); |
|
471 |
+ |
|
472 |
+ char openssl_ciphers[4096]; |
|
473 |
+ convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers), |
|
474 |
+ ciphers); |
|
475 |
+ |
|
476 |
+ if (!SSL_CTX_set_ciphersuites(ctx->ctx, openssl_ciphers)) |
|
477 |
+ { |
|
478 |
+ crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s", |
|
479 |
+ openssl_ciphers); |
|
480 |
+ } |
|
481 |
+#endif |
|
482 |
+} |
|
483 |
+ |
|
484 |
+void |
|
430 | 485 |
tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) |
431 | 486 |
{ |
432 | 487 |
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL |