disable export grade ciphers

Bug #1590163 reported by Stephan Hennig
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

# System

device: Aquaris BQ E4.5
OS: Ubuntu 15.04, OTA-11
OpenSSL version:
  $dpkg --list |grep libssl
ii libssl1.0.0:armhf 1.0.1f-1ubuntu11.6 armhf Secure Sockets Layer toolkit - shared libraries

# Observed behaviour

OpenSSL provides export grade ciphers:

  $openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

# Expected behaviour

No export grade ciphers are provided in binaries.

# Rationale

Export grade ciphers are insecure. By design. In response to FREAK and
Logjam attacks, OpenSSL developers disabled export grade ciphers in
OpenSSL v1.0.1m (March 2015),
cf. <URL:https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/>.

To bypass similar future attacks, deactivation of export grade ciphers should be
backported to 15.04.

Stephan Hennig (sh2d-h)
information type: Private Security → Public
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I wonder if this is good way to find the supported ciphers list?

sarnold@sec-trusty-amd64:~/qrt-test-imagemagick$ openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

sarnold@sec-wily-amd64:~/qrt-test-imagemagick$ openssl ciphers -v EXP
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

And a 16.04 LTS system:
$ openssl ciphers -v EXP
Error in cipher list
140090662590104:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1380:

None of these are attempts to -use- the ciphers though.

Thanks

information type: Public → Public Security
Revision history for this message
Stephan Hennig (sh2d-h) wrote :

The above mentioned command shows that export grade ciphers are supported. That doesn't mean they are considered during cipher negotiation or even advertised by the client. But those ciphers are part of certain cipher strings, like ALL, DES, SHA etc. A user/developer not explicitly diabbling
export grade ciphers using !EXP in the cipher string argument may advertise those ciphers unintentionally, exposing an app to (yet) future attacks trying to mitigate negotiated cipher strength, like FREAK and Logjam attacks did.

The crux is, end-users have no easy way to monitor cipher negotiation and file bugs against a particular app. Even if one sets-up his own test server to check a particular app, that effort seems wasted, since many apps can benefit from disabling unsafe ciphers in one central piece code - the SSL library.

As for the planned 16.04 transition, which updates OpenSSL to a version with export grade ciphers already disabled, I've heard rumours that no decision has been made up until today whether all current devices will take part in the transition to 16.04. If a new attack is made public after support ended for a particular device that is still on 15.04, users cannot use that device for
trusted communication anymore.

Yes, disabling export grade ciphers is an investment into the future anticipating new attacks. But that future may be tomorrow. I suggest acting now, disabling export grade ciphers for the next OTA and be on the safe(er) side. At least, reasoning of OpenSSL developers seems to be along these lines (see link given in original bug report).

Changed in openssl (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Oibaf (oibaf) wrote :

This was done in Ubuntu jammy/22.04. See release notes: https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668
Security Level 2 is now enforced, see here for some more info: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_security_level.html

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.