cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: weak cipher suites with OpenSSL, SecureTransport and... ?

From: Marc Hoersken <info_at_marc-hoersken.de>
Date: Sat, 22 Feb 2014 16:04:59 +0100

Am 13.02.2014 08:27, schrieb Daniel Stenberg:
> Go for it. We've tried to make this happen with the other SSL backends
> so it makes perfect sense to me!

After pushing the change on the 31th of January, I did now notice that
there seems to be a problem with stunnel and Schannel while using
TLSv1.2. Disabling it and only allowing SSLv3, TLSv1.0 and TLSv1.1 on
either site (stunnel config or Internet Explorer options) avoids the issue.

The error is shown in the following curl debug output:

$ ../src/curl.exe --output log/https_verify.out --silent --verbose
--globoff --insecure "https://127.0.0.1:8991/verifiedserver"
* STATE: INIT => CONNECT handle 0xa6e368; line 1026 (connection #-5000)
* timeout on name lookup is not supported
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* STATE: CONNECT => WAITCONNECT handle 0xa6e368; line 1073 (connection #0)
* Connected to 127.0.0.1 (127.0.0.1) port 8991 (#0)
* schannel: SSL/TLS connection with 127.0.0.1 port 8991 (step 1/3)
* schannel: disable server certificate revocation checks
* schannel: using IP address, SNI is being disabled by disabling the
servername check against the subject names in server certificates.
* schannel: verifyhost setting prevents Schannel from comparing the
supplied target name with the subject names in server certificates. Also
disables SNI.
* schannel: sending initial handshake data: sending 133 bytes...
* schannel: sent initial handshake data: sent 133 bytes
* schannel: SSL/TLS connection with 127.0.0.1 port 8991 (step 2/3)
* schannel: failed to receive handshake, need more data
* STATE: WAITCONNECT => PROTOCONNECT handle 0xa6e368; line 1186
(connection #0)
* schannel: SSL/TLS connection with 127.0.0.1 port 8991 (step 2/3)
* schannel: encrypted data buffer: offset 1068 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN
(0x80090308) - Das Token, das der Funktion übergeben wurde, ist ungültig.
* Closing connection 0
* The cache now contains 0 members
* schannel: shutting down SSL/TLS connection with 127.0.0.1 port 8991
* schannel: clear security context handle
* schannel: clear credential handle
* Expire cleared

Corresponding stunnel 4.56 debug output:

2014.02.22 15:42:30 LOG7[4080:1300]: No limit detected for the number of
clients
2014.02.22 15:42:30 LOG5[4080:1300]: stunnel 4.56 on x86-pc-msvc-1500
platform
2014.02.22 15:42:30 LOG5[4080:1300]: Compiled/running with OpenSSL
1.0.1e-fips 11 Feb 2013
2014.02.22 15:42:30 LOG5[4080:1300]: Threading:WIN32 Sockets:SELECT,IPv6
SSL:ENGINE,OCSP,FIPS
2014.02.22 15:42:30 LOG5[4080:1300]: Reading configuration from file
d:/OS/curl/tests/stunnel.conf
2014.02.22 15:42:30 LOG5[4080:1300]: FIPS mode is disabled
2014.02.22 15:42:30 LOG7[4080:1300]: Compression not enabled
2014.02.22 15:42:30 LOG7[4080:1300]: PRNG seeded successfully
2014.02.22 15:42:30 LOG6[4080:1300]: Initializing service [curltest]
2014.02.22 15:42:30 LOG7[4080:1300]: Certificate: ./stunnel.pem
2014.02.22 15:42:30 LOG7[4080:1300]: Certificate loaded
2014.02.22 15:42:30 LOG7[4080:1300]: Key file: ./stunnel.pem
2014.02.22 15:42:30 LOG7[4080:1300]: Private key loaded
2014.02.22 15:42:30 LOG7[4080:1300]: Using DH parameters from ./stunnel.pem
2014.02.22 15:42:30 LOG7[4080:1300]: DH initialized with 1024-bit key
2014.02.22 15:42:30 LOG7[4080:1300]: ECDH initialized with curve prime256v1
2014.02.22 15:42:30 LOG7[4080:1300]: SSL options set: 0x00000004
2014.02.22 15:42:30 LOG5[4080:1300]: Configuration successful
2014.02.22 15:42:30 LOG7[4080:1300]: Service [curltest] (FD=144) bound
to 0.0.0.0:8991
2014.02.22 15:42:32 LOG7[4080:1300]: Service [curltest] accepted
(FD=308) from 127.0.0.1:58589
2014.02.22 15:42:32 LOG7[4080:1300]: Creating a new thread
2014.02.22 15:42:32 LOG7[4080:1300]: New thread created
2014.02.22 15:42:32 LOG7[4080:3976]: Service [curltest] started
2014.02.22 15:42:32 LOG5[4080:3976]: Service [curltest] accepted
connection from 127.0.0.1:58589
2014.02.22 15:42:32 LOG7[4080:3976]: SSL state (accept): before/accept
initialization
2014.02.22 15:42:32 LOG7[4080:3976]: SNI: no virtual services defined
2014.02.22 15:42:32 LOG7[4080:3976]: SSL state (accept): SSLv3 read
client hello B
2014.02.22 15:42:32 LOG7[4080:3976]: SSL state (accept): SSLv3 write
server hello A
2014.02.22 15:42:32 LOG7[4080:3976]: SSL state (accept): SSLv3 write
certificate A
2014.02.22 15:42:32 LOG7[4080:3976]: SSL state (accept): SSLv3 write
server done A
2014.02.22 15:42:32 LOG7[4080:3976]: SSL state (accept): SSLv3 flush data
2014.02.22 15:42:32 LOG7[4080:3976]: SSL alert (read): warning: close notify
2014.02.22 15:42:32 LOG3[4080:3976]: SSL_accept: Peer suddenly disconnected
2014.02.22 15:42:32 LOG5[4080:3976]: Connection reset: 0 byte(s) sent to
SSL, 0 byte(s) sent to socket
2014.02.22 15:42:32 LOG7[4080:3976]: Local socket (FD=308) closed
2014.02.22 15:42:32 LOG7[4080:3976]: Service [curltest] finished (0 left)

I also tried it with stunnel 5.00 beta:

2014.02.22 15:52:31 LOG7[5212]: No limit detected for the number of clients
2014.02.22 15:52:31 LOG5[5212]: stunnel 5.00 on x86-pc-msvc-1500 platform
2014.02.22 15:52:31 LOG5[5212]: Compiled/running with OpenSSL
1.0.1e-fips 11 Feb 2013
2014.02.22 15:52:31 LOG5[5212]: Threading:WIN32 Sockets:SELECT,IPv6
SSL:ENGINE,OCSP,FIPS
2014.02.22 15:52:31 LOG5[5212]: Reading configuration from file
d:/OS/curl/tests/stunnel.conf
2014.02.22 15:52:31 LOG5[5212]: FIPS mode is disabled
2014.02.22 15:52:31 LOG7[5212]: Compression not enabled
2014.02.22 15:52:31 LOG7[5212]: PRNG seeded successfully
2014.02.22 15:52:31 LOG6[5212]: Initializing service [curltest]
2014.02.22 15:52:31 LOG7[5212]: Certificate: ./stunnel.pem
2014.02.22 15:52:31 LOG7[5212]: Certificate loaded
2014.02.22 15:52:31 LOG7[5212]: Key file: ./stunnel.pem
2014.02.22 15:52:31 LOG7[5212]: Private key loaded
2014.02.22 15:52:31 LOG7[5212]: DH initialization
2014.02.22 15:52:31 LOG7[5212]: Using DH parameters from ./stunnel.pem
2014.02.22 15:52:31 LOG7[5212]: DH initialized with 1024-bit key
2014.02.22 15:52:31 LOG7[5212]: ECDH initialization
2014.02.22 15:52:31 LOG7[5212]: ECDH initialized with curve prime256v1
2014.02.22 15:52:31 LOG7[5212]: SSL options set: 0x00000004
2014.02.22 15:52:31 LOG5[5212]: Configuration successful
2014.02.22 15:52:31 LOG7[5212]: Service [curltest] (FD=144) bound to
0.0.0.0:8991
2014.02.22 15:52:35 LOG7[5212]: Service [curltest] accepted (FD=308)
from 127.0.0.1:59290
2014.02.22 15:52:35 LOG7[5212]: Creating a new thread
2014.02.22 15:52:35 LOG7[5212]: New thread created
2014.02.22 15:52:35 LOG7[5632]: Service [curltest] started
2014.02.22 15:52:35 LOG5[5632]: Service [curltest] accepted connection
from 127.0.0.1:59290
2014.02.22 15:52:35 LOG7[5632]: SSL state (accept): before/accept
initialization
2014.02.22 15:52:35 LOG7[5632]: SNI: no virtual services defined
2014.02.22 15:52:35 LOG7[5632]: SSL state (accept): SSLv3 read client
hello A
2014.02.22 15:52:35 LOG7[5632]: SSL state (accept): SSLv3 write server
hello A
2014.02.22 15:52:35 LOG7[5632]: SSL state (accept): SSLv3 write
certificate A
2014.02.22 15:52:35 LOG7[5632]: SSL state (accept): SSLv3 write server
done A
2014.02.22 15:52:35 LOG7[5632]: SSL state (accept): SSLv3 flush data
2014.02.22 15:52:35 LOG7[5632]: SSL alert (read): warning: close notify
2014.02.22 15:52:35 LOG3[5632]: SSL_accept: Peer suddenly disconnected
2014.02.22 15:52:35 LOG5[5632]: Connection reset: 0 byte(s) sent to SSL,
0 byte(s) sent to socket
2014.02.22 15:52:35 LOG7[5632]: Local socket (FD=308) closed
2014.02.22 15:52:35 LOG7[5632]: Service [curltest] finished (0 left)
2014.02.22 15:52:35 LOG7[5632]: str_stats: 3 block(s), 60 data byte(s),
126 control byte(s)

The commit made the issue visible since it would also have shown up if I
had enabled TLSv1.1 and TLSv1.2 by default within the Internet Explorer
options.
Interestingly TLSv1.2 using Schannel does indeed work for sites like
Google and "https://www.howsmyssl.com/a/check".

I also checked if stunnel 4.56 actually supports TLSv1.2 using OpenSSL:

$ openssl s_client -connect localhost:8991 -tls1_2
CONNECTED(00000003)
depth=0 C = SE, ST = Solna, L = Mooo, O = Haxx, OU = Coolx, CN =
storbror, CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = SE, ST = Solna, L = Mooo, O = Haxx, OU = Coolx, CN =
storbror, CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1

---
Certificate chain
 0 s:/C=SE/ST=Solna/L=Mooo/O=Haxx/OU=Coolx/CN=storbror/CN=localhost
   i:/C=SE/ST=Solna/L=Mooo/O=Haxx/OU=Coolx/CN=storbror/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=SE/ST=Solna/L=Mooo/O=Haxx/OU=Coolx/CN=storbror/CN=localhost
issuer=/C=SE/ST=Solna/L=Mooo/O=Haxx/OU=Coolx/CN=storbror/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 1516 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1234 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
C2732D3BFF5FF70078D7E167685E67163F69C8EFA34512F0B7B7BF394F70DBD5
    Session-ID-ctx:
    Master-Key:
E1AAD280FE7A32BD6E301A93853B70019D0FDE51C151DAB3DCD54BBB0B04C8EFCA9BF167913CC44B642AA78D0315B12B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
...
    Start Time: 1393081322
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
So there seems to be an incompatibility between the stunnel and Schannel
implementations of TLSv1.2.
Does anyone have any clue about this?
Best regards,
Marc
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-22