X-SSL-cipher header reports TLS connections as SSLv3

Bug #1398007 reported by Tom
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pound (Ubuntu)

Bug Description

# Steps to reproduce
1. Copy the attached `pound.cfg` to `/etc/pound/`
2. Copy the attached `pound-test-cert.pem` to `/etc/ssl/private/`
3. Open a TCP port on port 8080: `netcat -t -l -p 8080`
4. `service pound start`
5. Make a TLS (not SSL!) request: `curl --tlsv1 --ciphers 'AES128-SHA' -k`
6. Look at the stdout of netcat, and see the value of HTTP request header X-SSL-cipher that pound has injected into the request

## Expected
The connection is reported to be TLS

## Actual
The connection is reported to be SSLv3: "AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1"

Wireshark debugging confirms that the curl connection is indeed a TLS connection, rather than a SSLv3 connection.

# Impact
When trying to determine the impact of disabling SSLv3 (re POODLE), we searched
our logs for how many clients used SSLv3, and this bug caused us to believe we
had more SSLv3 traffic than we actually did.

# Why this is reported to be SSLv3
Looking into the pound code[0], X-SSL-cipher is populated with the result of SSL_CIPHER_description().
In SSL_CIPHER_description() "The TLSv1.0 ciphers are flagged with SSLv3."[1].
The AES ciphers are TLSv1 ciphers, and hence are reported as SSLv3 by pound/openssl.

# Proposed fix
Add a X-SSL-version header, using SSL_get_version()[2]. I can produce a patch for this, if it is considered an acceptable change.

0. https://github.com/mandiant/pound/blob/a3705bc06e44ec4a229fd38760d6c04c43ced6b6/http.c#L943
1. https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
2. https://www.openssl.org/docs/ssl/SSL_get_version.html

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: pound 2.6-3
ProcVersionSignature: Ubuntu 3.13.0-40.69-generic
Uname: Linux 3.13.0-40-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
Date: Mon Dec 1 14:03:04 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-06-30 (154 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64+mac (20140417)
SourcePackage: pound
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.pound.pound.cfg: 2014-12-01T13:40:35.426220

Revision history for this message
Tom (tom5559-deactivatedaccount) wrote :
Revision history for this message
Tom (tom5559-deactivatedaccount) wrote :

I just learned Pound has an upstream bug tracker, in the form of a mailing list, so I've raised this issue here too: http://www.apsis.ch/pound/pound_list/archive/2014/2014-12/1417443802000#1417443802000

Revision history for this message
Tom (tom5559-deactivatedaccount) wrote :

This patch is also available in Github: https://github.com/tomfitzhenry/pound/commit/502626f9f5258d5079fbf6424177a9507ff6472e

I've sent this patch upstream, too.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-Add-X-SSL-version-header.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Thijs Kinkhorst (kink) wrote :

This has been merged in upstream experimental release v2.7e

Changed in pound (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pound - 3.0-1

pound (3.0-1) unstable; urgency=medium

  [ Carsten Leonhardt ]
  * New upstream version
    As pound 3.0 was rewritten from scratch, also most Ubuntu bug reports
    no longer apply (LP: #1189764, LP: #1398007, LP: #1639888)
  * Upstream is out of beta, upload to unstable
  * Add debian/NEWS to inform about new configuration format and file name

  [ Debian Janitor ]
  * debian/copyright: use spaces rather than tabs to start continuation lines.
  * Remove obsolete fields Contact, Name from debian/upstream/metadata (already
    present in machine-readable debian/copyright).
  * Fix day-of-week for changelog entries 2.5-1.1, 2.4.3-1, 2.4.2-1, 2.4-2.

 -- Carsten Leonhardt <email address hidden> Thu, 05 Nov 2020 01:45:01 +0100

Changed in pound (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers