Open SoniEx2 opened 3 years ago
SSL_get_srp_g and SSL_get_srp_N seem like they could be used for this, but it feels kinda wrong to use them...
What level of verification do you need? Use of an SRP ciphersuite would be one indicator that's easy to obtain.
The primary concern is that a malicious MITM could somehow evade SRP and trigger the "skip no cert" condition here: https://github.com/SoniEx2/torxchat/commit/390240ac622ab1d81704bad694ba6187738ae9b8#diff-678b8d5834470852c8ce43b0216dba38593f023232c298f89f81a97d2aa166d1R600
This would be a pretty big problem.
Do you know how TLS works? Does this malicious MITM modify messages along the path? How would that work with the handshake digest?
To put it simple, LANs are generally vulnerable to ARP attacks and stuff. You can easily replace whole servers on LAN.
Obviously if such an attacker knows the password it's game over, but assuming they don't, is everything else here alright? Given that there was a "no cert" codepath in the first place, and given that the SRP username/password are ignored if the server doesn't support SRP... are there any cases where an attacker can provide no cert and no SRP and still make a successful connection?
(It'd still be nice to make the connection fail if the server doesn't provide SRP but provides a valid cert, tho...)
are there any cases where an attacker can provide no cert and no SRP and still make a successful connection?
no.
Alright. Still, how does one enforce the use of SRP? Just check that SSL_get_srp_g
or SSL_get_srp_N
isn't NULL
? Is it possible to re-negotiate the ciphersuite after negotiating SRP? (Also re-negotiation is bad, yeah?)
Just trying not to mess this up.
Did you read https://github.com/openssl/openssl/issues/15525#issuecomment-850724450 ?
As for renegotiation, there are SSL_OP
modes to disable it.
This does seem to work https://github.com/SoniEx2/torxchat/commit/a92a41f88f29015f436b00ae32feda3be0840e95
Marking as inactive, to be closed at the end of 3.4 dev barring further input
(Not using a mailing list that requires plaintext passwords) OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021 OS: Arch Linux x86_64
We're trying to use TLS-SRP (as the only PAKE supported in OpenSSL) to deploy what we call "TLS-on-LAN", see e.g. https://github.com/SoniEx2/torxchat/issues/2, but we can't figure out how to check if SRP was used in the connection so as to enforce its usage. Is there any API we can use to do so?