X-SSL-cipher header reports TLS connections as SSLv3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pound (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
# Steps to reproduce
1. Copy the attached `pound.cfg` to `/etc/pound/`
2. Copy the attached `pound-
3. Open a TCP port on port 8080: `netcat -t -l -p 8080`
4. `service pound start`
5. Make a TLS (not SSL!) request: `curl --tlsv1 --ciphers 'AES128-SHA' -k https:/
6. Look at the stdout of netcat, and see the value of HTTP request header X-SSL-cipher that pound has injected into the request
## Expected
The connection is reported to be TLS
## Actual
The connection is reported to be SSLv3: "AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1"
Wireshark debugging confirms that the curl connection is indeed a TLS connection, rather than a SSLv3 connection.
# Impact
When trying to determine the impact of disabling SSLv3 (re POODLE), we searched
our logs for how many clients used SSLv3, and this bug caused us to believe we
had more SSLv3 traffic than we actually did.
# Why this is reported to be SSLv3
Looking into the pound code[0], X-SSL-cipher is populated with the result of SSL_CIPHER_
In SSL_CIPHER_
The AES ciphers are TLSv1 ciphers, and hence are reported as SSLv3 by pound/openssl.
# Proposed fix
Add a X-SSL-version header, using SSL_get_
0. https:/
1. https:/
2. https:/
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: pound 2.6-3
ProcVersionSign
Uname: Linux 3.13.0-40-generic x86_64
NonfreeKernelMo
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
Date: Mon Dec 1 14:03:04 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-06-30 (154 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64+mac (20140417)
SourcePackage: pound
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile.
I just learned Pound has an upstream bug tracker, in the form of a mailing list, so I've raised this issue here too: http:// www.apsis. ch/pound/ pound_list/ archive/ 2014/2014- 12/141744380200 0#1417443802000