SoniEx2
commented
3 years ago SSL_get_srp_g and SSL_get_srp_N seem like they could be used for this, but it feels kinda wrong to use them...
Open SoniEx2 opened 3 years ago
SoniEx2
commented
3 years ago SSL_get_srp_g and SSL_get_srp_N seem like they could be used for this, but it feels kinda wrong to use them...
kaduk
commented
3 years ago What level of verification do you need? Use of an SRP ciphersuite would be one indicator that's easy to obtain.
SoniEx2
commented
3 years ago The primary concern is that a malicious MITM could somehow evade SRP and trigger the "skip no cert" condition here: https://github.com/SoniEx2/torxchat/commit/390240ac622ab1d81704bad694ba6187738ae9b8#diff-678b8d5834470852c8ce43b0216dba38593f023232c298f89f81a97d2aa166d1R600
This would be a pretty big problem.
richsalz
commented
3 years ago Do you know how TLS works? Does this malicious MITM modify messages along the path? How would that work with the handshake digest?
SoniEx2
commented
3 years ago To put it simple, LANs are generally vulnerable to ARP attacks and stuff. You can easily replace whole servers on LAN.
Obviously if such an attacker knows the password it's game over, but assuming they don't, is everything else here alright? Given that there was a "no cert" codepath in the first place, and given that the SRP username/password are ignored if the server doesn't support SRP... are there any cases where an attacker can provide no cert and no SRP and still make a successful connection?
(It'd still be nice to make the connection fail if the server doesn't provide SRP but provides a valid cert, tho...)
richsalz
commented
3 years ago are there any cases where an attacker can provide no cert and no SRP and still make a successful connection?
no.
SoniEx2
commented
3 years ago Alright. Still, how does one enforce the use of SRP? Just check that SSL_get_srp_g or SSL_get_srp_N isn't NULL? Is it possible to re-negotiate the ciphersuite after negotiating SRP? (Also re-negotiation is bad, yeah?)
Just trying not to mess this up.
richsalz
commented
3 years ago Did you read https://github.com/openssl/openssl/issues/15525#issuecomment-850724450 ?
As for renegotiation, there are SSL_OP modes to disable it.
SoniEx2
commented
3 years ago This does seem to work https://github.com/SoniEx2/torxchat/commit/a92a41f88f29015f436b00ae32feda3be0840e95
nhorman
commented
1 month ago Marking as inactive, to be closed at the end of 3.4 dev barring further input
(Not using a mailing list that requires plaintext passwords) OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021 OS: Arch Linux x86_64
We're trying to use TLS-SRP (as the only PAKE supported in OpenSSL) to deploy what we call "TLS-on-LAN", see e.g. https://github.com/SoniEx2/torxchat/issues/2, but we can't figure out how to check if SRP was used in the connection so as to enforce its usage. Is there any API we can use to do so?