Support GnuTLS protocol strings

sardemff7 / eventd

A simple daemon to track remote or local events and do actions the user wants to

https://www.eventd.org

Other

46 stars 4 forks source link

Support GnuTLS protocol strings #25

Closed mathstuf closed 9 years ago

mathstuf commented 9 years ago

See discussion on abe7b18d88c5112f01a8f9382822a9a44b4d2d3c.

sardemff7 commented 9 years ago

I am not sure this should be added in eventd’s configuration. This is actually a system-wide preference, and you should just put the variable in your environment, so that all users of GIO TLS support will use your preference.

Is that really an issue to set this environment variable? You may even need to set other variables for other backends, do all libraries use the same format?

mathstuf commented 9 years ago

You're going to need to document it either way; offering SSLv2 or SSLv3 these days for encryption isn't really using encryption. Offering a place to put it right in the config file rather than having to remember "did I have it set right in the environment when I started?" is much nicer.

As for the strings, they're all different :( . OpenSSL has the most precise one, GnuTLS is OpenSSL-like, but has…issues with removing specific algorithms. I have no idea about NSS.

Anyways, here's a vastly better default:

"%SERVER_PRECEDENCE"          // use the server's precedences for algorithms
":NORMAL"                     // the normal suite
":-VERS-SSL3.0:-VERS-TLS1.0"  // SSLv3 and TLSv1.0 are vulnerable to POODLE
":-3DES-CBC"                  // 3DES is broken with CBC
":-ARCFOUR-128:-ARCFOUR-40"   // RC4 is broken
":-MD5"

I haven't done the SHA1 breakage removal yet either.

sardemff7 commented 9 years ago

Ok, I have some code to support that, but your string is wrong. I have to details, just GIO telling me “G_TLS_GNUTLS_PRIORITY is invalid; ignoring!”. Any idea?

mathstuf commented 9 years ago

I love how descriptive and informative security library errors are. Always the best. </s>

It seems there's no fool-proof way to make these strings. Mozilla says to use gnutls-cli to help:

https://wiki.mozilla.org/Security/Server_Side_TLS#GnuTLS_ciphersuite

I can take a look at it when I get home if you want.

sardemff7 commented 9 years ago

We could patch glib-networking to report the complete error (i.e. the position in the string) but not sure that would help much here. I will check with gnutls-cli.

If the string is system-dependent (or more precisely package-configuration-dependent) I cannot change the default, so I will just add the configuration.

sardemff7 commented 9 years ago

I check gnutls-cli -l output, and I have no "ARCFOUR-40" (GnuTLS 3.4.5). On my server, still lagging with GnuTLS 3.2.18, it is there, same for a server under Debian oldstable (GnuTLS 2.12.20).

So they probably removed it from the default suite, or maybe entirely.

I pushed 36d2e03dd210c8055ba0ddae438ca37a445a4f7b to add a configuration key. It will work only server-side and has no default value.

Once glib-networking will gain an OpenSSL module, I will have to add a new configuration key (if they provide an environment variable, which is not currently the case in the WIP code).