Open rdratlos opened 3 years ago
rdratlos
commented
3 years ago Ubuntu packages for Cherokee Webserver with this pull request are available in Launchpad. Supported releases are Ubuntu Focal and Ubuntu Bionic. All packages have been built with option --enable-trace for better testing. Please follow the instructions of the Launchpad PPA in order to enable the repository and install Cherokee Webserver on your test server.
skinkie
commented
3 years ago Thanks for this effort! I'll review this later :-)
shannara
commented
1 year ago Hi,
I tested on my side, merged master with your branch, fix little conflicts on qa/Makefile.am and configure.ac. Warning about obsolete macros, but compile done : AC_PROG_CC_STDC AC_PROG_LEX without either yywrap or noyywrap AC_PROG_LIBTOOL
work wheel with openssl 1.1.1n. I check on qualys lab, T because it's self cert, if trusted cert A. TLS 1.3 | Yes TLS 1.2 | Yes TLS 1.1 | No TLS 1.0 | No SSL 3 | No (disable on my openssl build) SSL 2 | No
Big thanks rdratlos for stuff.
skinkie
commented
1 year ago Yes, I have tested this for many months in production as well.
OpenSSL 1.1.1 was released on 11 September 2018. This is the latest LTS (Long Term Support) release, supported until September 2023. The headline new feature of OpenSSL 1.1.1 is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. Main changes to be considered by Cherokee webserver:
OpenSSL 1.1.1 continues the new strategy of the OpenSSL development team started in version 1.1.0 to extend automatic configuration of the libssl back-end. This increases security and removes the burden from application developers to keep care of the many and various bits and pieces that are required to setup a safe and powerful TLS back-end.
Current Cherokee implementation does not explicitly support TLSv1.3 and other new OpenSSL 1.1.1 features. But OpenSSL/libssl back-end silently applies TLSv1.3 encryption of traffic between clients and Cherokee webserver. This is dangerous as Cherokee application must control SSL/TLS protocol availability and cipher set configuration for clients. Cherokee is responsible for security and not the used TLS back-end.
This PR implements a major update of Cherokee's OpenSSL/libssl back-end management and control. Several issues related to SSL/TLS are fixed. In particular a security issue that legacy Cherokee webservers even though software has been updated periodically may still silently offer prohibited SSLv2/v3 protocols to clients. Per default Cherokee does not make use of these protocols anymore but this can be overwritten by the SSL/TLS settings within an outdated unattended configuration file. This update fixes the issue by removing SSLv2/v3 protocol entries from an existing configuration file during installation.
The following lists provides a short summary of the implemented changes:
Following issue are fixed by this PR:
The subsequent set of patches was tested on Ubuntu Focal, Ubuntu Bionic and ArchLinux. The existing build tests all pass. Testing was performed with and without OpenSSL/libssl support, for package as well as local installations of Cherokee webserver and for OpenSSL version 1.1.1 as well as legacy OpenSSL 0.9.8.
Please review and comment.