Recent Linux distributions including Ubuntu 18.04, CentOS 8, and conda, include a version of OpenSSL that disables weak ciphers such as Anonymous DH (ADH) as used by OMERO. In many cases our suggested workaround to set @SECLEVEL=0 does not work:
The client work required to support ciphers other than ADH was added as part of the work to enable websockets, since in most cases clients connect to a websocket through an webserver such as Nginx that doesn't support ADH.
Note that the certificates do not need to be signed by a recognised certificate authority since OMERO clients never validate any SSL connections.
This means the server can optionally autogenerate them without any user input.
Proposal
Supported ciphers and protocols
Remove the weak ciphers from the default OMERO configuration. The default OMERO configuration will include the following properties:
Alternatively we could take this opportunity to improve the security slightly (though since the default is for clients to never verify certificates it doesn't really make much difference):
omero.glacier2.IceSSL.Ciphers: HIGH
omero.glacier2.IceSSL.ProtocolVersionMax: TLS1_3
omero.glacier2.IceSSL.ProtocolVersionMin: TLS1_2
omero.glacier2.IceSSL.Protocols: TLS1_2,TLS1_3
Certificates properties
Require certificates for IceSSL. These certificates may be self-signed since verification is disabled by default in clients.
The following properties are required:
omero.glacier2.IceSSL.DefaultDir: The directory for certificates.
This may default to {omero.data.dir}/certs or $OMERODIR/var/certs.
Any certificate properties that are not an absolute path must be in this directory.
omero.glacier2.IceSSL.CertFile: A PKCS12 file storing the certificate and key, default server.p12.
omero.glacier2.IceSSL.Password: password for the above CertFile, default secret
The following may or may not be required (probably isn't but needs checking):
omero.glacier2.IceSSL.CAs
Certificate creation
Add a new property that controls whether OMERO.server should automatically generate self-signed certificates on startup:
omero.certificates.autogenerate: default true
If omero.certificates.autogenerate: true then omero admin rewrite will create a new self-signed PKCS12 certificate using the openssl utility and store it in omero.glacier2.IceSSL.CertFile with password omero.glacier2.IceSSL.Password.
The public certificate will be regenerated on every start to avoid worrying about expiry dates.
Intermediate files server.pem (self-signed certificate in PEM format) and server.key (private key in PEM format) will be stored in omero.glacier2.IceSSL.DefaultDir.
Most of this functionality is already implemented by the omero-certificates plugin, though some work will be required to remove the automatic setting of properties.
If omero.certificates.autogenerate: false the sysadmin is responsible for creating certificates and changing any default properties.
Background
Recent Linux distributions including Ubuntu 18.04, CentOS 8, and conda, include a version of OpenSSL that disables weak ciphers such as Anonymous DH (ADH) as used by OMERO. In many cases our suggested workaround to set
@SECLEVEL=0does not work:Several users have reported success when using the omero-certificates plugin
The client work required to support ciphers other than ADH was added as part of the work to enable websockets, since in most cases clients connect to a websocket through an webserver such as Nginx that doesn't support ADH. Note that the certificates do not need to be signed by a recognised certificate authority since OMERO clients never validate any SSL connections. This means the server can optionally autogenerate them without any user input.
Proposal
Supported ciphers and protocols
Remove the weak ciphers from the default OMERO configuration. The default OMERO configuration will include the following properties:
omero.glacier2.IceSSL.Ciphers:HIGHomero.glacier2.IceSSL.ProtocolVersionMax:TLS1_2omero.glacier2.IceSSL.Protocols:TLS1_0,TLS1_1,TLS1_2TLS1_3in the aboveAlternatively we could take this opportunity to improve the security slightly (though since the default is for clients to never verify certificates it doesn't really make much difference):
omero.glacier2.IceSSL.Ciphers:HIGHomero.glacier2.IceSSL.ProtocolVersionMax:TLS1_3omero.glacier2.IceSSL.ProtocolVersionMin:TLS1_2omero.glacier2.IceSSL.Protocols:TLS1_2,TLS1_3Certificates properties
Require certificates for IceSSL. These certificates may be self-signed since verification is disabled by default in clients. The following properties are required:
omero.glacier2.IceSSL.DefaultDir: The directory for certificates. This may default to{omero.data.dir}/certsor$OMERODIR/var/certs. Any certificate properties that are not an absolute path must be in this directory.omero.glacier2.IceSSL.CertFile: A PKCS12 file storing the certificate and key, defaultserver.p12.omero.glacier2.IceSSL.Password: password for the aboveCertFile, defaultsecretThe following may or may not be required (probably isn't but needs checking):omero.glacier2.IceSSL.CAsCertificate creation
Add a new property that controls whether OMERO.server should automatically generate self-signed certificates on startup:
omero.certificates.autogenerate: defaulttrueIf
omero.certificates.autogenerate: truethenomero admin rewritewill create a new self-signed PKCS12 certificate using theopensslutility and store it inomero.glacier2.IceSSL.CertFilewith passwordomero.glacier2.IceSSL.Password. The public certificate will be regenerated on every start to avoid worrying about expiry dates. Intermediate filesserver.pem(self-signed certificate in PEM format) andserver.key(private key in PEM format) will be stored inomero.glacier2.IceSSL.DefaultDir. Most of this functionality is already implemented by the omero-certificates plugin, though some work will be required to remove the automatic setting of properties.If
omero.certificates.autogenerate: falsethe sysadmin is responsible for creating certificates and changing any default properties.