Harden HTTPS access

[steve8x8]

Although user credentials are sent over http after logging in, it might be a useful exercise to harden the https part. Remove rc4 ciphers (and perhaps everything with too short a key), verify peer, etc. This may seriously break on platforms I cannot test on. Volunteers wanted, patch will be provided.

[steve8x8]

Um, how does one upload a patch here? Until I find out, here's it:

+++ geotoad.myown/lib/shadowget.rb      2015-07-23 13:25:09.212171998 +0200
--- geotoad.trunc/lib/shadowget.rb      2015-07-15 16:44:13.000000000 +0200
@@ -280,14 +280,19 @@
     end
     if uri.scheme == 'https'
       http.use_ssl = true
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-      # openssl 1.0.1 tends to produce long headers which gc doesnt handle
-      # reduce set of ciphers to the one that's known to work with 1.0.0h
-      # http://gursevkalra.blogspot.de/2009/09/ruby-and-openssl-based-ssl-cipher.html
-      http.ciphers = [ 'RC4-SHA', 'AES128-SHA', 'AES256-SHA', 'DES-CBC3-SHA' ]
-      # force ssl context to TLSv1/SSLv3
-      # http://www.ruby-forum.com/topic/200072
-      http.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1) }
+      # this was for a long time kind of security by obscurity
+      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      # reduce set of ciphers
+      # https://www.ssllabs.com/ssltest/analyze.html?d=geocaching.com, drop <256 bit
+      #http.ciphers = [ 'RC4-SHA', 'AES128-SHA', 'AES256-SHA', 'DES-CBC3-SHA' ]
+      #http.ciphers = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers].split(/:/).map{ |c|
+      #  (c =~ /(RC4|AES128|DES)/) ? nil : c
+      #}.compact.join(':')
+      http.ciphers = OpenSSL::SSL::SSLContext.new(:TLSv1_2).ciphers.map{ |c,x,y,z|
+        (z >= 256) ? c : nil
+      }.compact.join(':')
+      # force ssl context http://www.ruby-forum.com/topic/200072
+      http.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1_2) }
     end

     query = uri.path

I'd love to learn whether this works in Windows and MacOS environments and for Ruby 1.9.x and up (it does for Debian Jessie, with Ruby 2.1.5)

[steve8x8]

Patch has been committed - please test before 3.24.1 gets released in four weeks time.

[steve8x8]

There has been some testing (see Issue #326) that made me add a fallback for older Ruby versions which may not support TLSv1_2 (but support TLSv1). I've been testing this with Debian Wheezy's ruby1.9.1 (which is a 1.9.3). Yesterday's commit 89fd389 should make git head work again for older Rubies.

[steve8x8]

AFAICT 3.24.1 has enough fallback code to survive with Ruby 1.9 that doesn't provide TLSv1_2 - in weakened mode. Upcoming releases will require Ruby >= 2.0 to overcome this.

Issue considered resolved. Leaving open for documentation purposes.

[IByte]

GeoToad 3.24.1 doesn't work for me (official Windows build). I get the following error:

[0] => C:/WINDOWS/TEMP/ocr69D7.tmp/src/lib/shadowget.rb:257:in fetchRemote': undefined methodlength' for nil:NilClass (NoMethodError) [1] => from C:/WINDOWS/TEMP/ocr69D7.tmp/src/lib/shadowget.rb:169:in fetch' [2] => from C:/WINDOWS/TEMP/ocr69D7.tmp/src/geotoad.rb:215:inversionCheck' [3] => from C:/WINDOWS/TEMP/ocr69D7.tmp/src/geotoad.rb:1007:in `' [4] => (===) GeoToad 3.24.1 (Ruby 2.0.0p645/2015-04-13 on i386-mingw32) [5] => *\ Cannot connect to raw.githubusercontent.com:443: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed [6] => ( - ) Offline mode: not fetching https://raw.githubusercontent.com/wiki/steve8x8/geotoad/CurrentVersion.md

[steve8x8]

That's bad news. OTOH, since I seem to be unable to set up a working Windows VM that can run Ruby >= 2.1, 3.24.0 (which had no such reports, but an insecure HTTPS connection) may be the last release with a pre-built Windows installer for now :( (See issue #301 as well.) There's always the option to visit http://rubyinstaller.org (no www. prefixed!), install your favourite and latest bug-fixed version, and use the tarball to run. There have been various complaints for a long time that the Windows executable would cause security issues (because it's run from a temporary directory), which would be another reason to drop the Installer. Looks like the WayToGo - Issue #327 has been created to cover this.

[steve8x8]

Since this seems to be (yet unconfirmed though) a Windows-only issue (Unixoid OSes handle certificates in a more consistent way), the discussion continues in Issue #329, closing here.