search

cherokee / webserver

Cherokee Web Server
GNU General Public License v2.0
568 stars 104 forks source link

Cherokee Ignores SSL/TLS Protocols Supported by OpenSSL #1255

Open rdratlos opened 3 years ago

rdratlos commented 3 years ago

SSL/TLS protocols are hardcoded in Cherokee. Neither at build time nor at run-time SSL/TLS protocols that are supported by the OpenSSL back-end are being checked. This may lead to the dangerous situation that OpenSSL encrypts HTTPS traffic using an SSL/TLS encryption, which is not explicitly supported by Cherokee. Current Cherokee for example does not support TLS protocol version 1.3, which requires ciphersuites for encryption that cannot be configured by Cherokee.

More and more OS distribution maintainers now control security of their OpenSSL packages by deactivating unsafe SSL/TLS protocols at build time. For system administrators it is very difficult to identify the root cause for rejected HTTPS communication requests due to suddenly unavailable SSL/TLS protocols. OpenSSL provides only pretty cryptic notifications.

skinkie commented 3 years ago

@rakuco you can choose which ciphers and protocols are supported at runtime. Is you statement here that it should not show the other options iff OpenSSL does not support them? I consider not supporting TLS 1.3 a separate issue.

image

image

rdratlos commented 3 years ago

The following screenshots show the "new" configuration screens for SSL/TLS protocols, ciphers and ciphersuites:

admin_advanced5

admin_vserver_security_ssl

rdratlos commented 3 years ago

And here is another one for system administrators that still have to operate Cherokee webserver using legacy OpenSSL version 0.9.8:

Cherokee_w_OpenSSL0_9_8

rdratlos commented 3 years ago

With above fix cherokee -i now correctly reports actual availability of SSL/TLS protocols:

Compilation
 Version: 1.2.104
 Compiled on: Apr  2 2021 11:20:09
 Arguments to configure:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--enable-os-string=Ubuntu' '--docdir=/usr/share/doc/cherokee-doc' '--with-wwwroot=/var/www' '--enable-trace' '--enable-pthread' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/cherokee-uV886k/cherokee-1.2.104=. -fstack-protector-strong -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/cherokee-uV886k/cherokee-1.2.104=. -fstack-protector-strong -Wformat -Werror=format-security'
 OpenSSL support: libssl (OpenSSL 1.1.1f  31 Mar 2020)

Installation
 Deps dir: /usr/share/cherokee/deps
 Data dir: /usr/share/cherokee
 Icons dir: /usr/share/cherokee/icons
 Themes dir: /usr/share/cherokee/themes
 Plug-in dir: /usr/lib/x86_64-linux-gnu/cherokee
 Temporal dir: /tmp

Plug-ins
 Built-in: 

Support
 IPv6: yes
 Pthreads: yes
 Tracing: yes
 sendfile(): yes
 syslog(): yes
 Polling methods: epoll poll select 
 SSL/TLS: libssl (OpenSSL 1.1.1j  16 Feb 2021)
          supported protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 - default min. protocol: TLSv1.2
          protocols deactivated by maintainer: SSLv3
 TLS SNI: yes