Re: Disable SSLv3 and set cipher list for bozohttpd

To: Kamil Rytarowski <n54%gmx.com@localhost>
Subject: Re: Disable SSLv3 and set cipher list for bozohttpd
From: tr%vispaul.me@localhost
Date: Sat, 12 Dec 2015 00:55:11 -0500

Hi tech-security,

Below is a patch which adds a new command line argument to
bozohttpd (-z) which can be used to override a built in
cipher list.

I will let others continue the discussion about which
ciphers are best to include by default as the list below
still results in an A- score from the Qualys SSL Labs
Server Test tool[1].

I welcome any feedback on the patch below. Please
let me know if I should create a PR.

Thanks,
Travis Paul

[1] https://www.ssllabs.com/ssltest/index.html

Index: bozohttpd.8
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.8,v
retrieving revision 1.56
diff -u -r1.56 bozohttpd.8
--- bozohttpd.8 29 Nov 2015 15:58:07 -0000      1.56
+++ bozohttpd.8 12 Dec 2015 05:17:11 -0000
@@ -34,7 +34,7 @@
 .Nd hyper text transfer protocol version 1.1 daemon
 .Sh SYNOPSIS
 .Nm
-.Op Fl EHVXefhnsu
+.Op Fl EHVXbefhnsu
 .Op Fl C Ar suffix cgihandler
 .Op Fl I Ar port
 .Op Fl L Ar prefix script
@@ -49,6 +49,7 @@
 .Op Fl t Ar chrootdir
 .Op Fl v Ar virtualroot
 .Op Fl x Ar index
+.Op Fl z Ar ciphers
 .Ar slashdir
 .Op Ar myname
 .Sh DESCRIPTION
@@ -303,6 +304,8 @@
 .Dq index.html
 to
 .Ar index .
+.It Fl z Ar ciphers
+Sets the list of SSL ciphers.
 .It Fl Z Ar certificate_path privatekey_path
 Sets the path to the server certificate file and the private key file
 in pem format.
@@ -425,7 +428,7 @@
 .Dq -lcrypt .
 .Ss SSL SUPPORT
 .Nm
-has support for SSLv2, SSLv3, and TLSv1 protocols that is included by
+has support for TLSv1.1 and TLSv1.2 protocols that are included by
 default.
 It requires linking with the crypto and ssl library, using
 .Dq -lcrypto -lssl .
@@ -436,7 +439,7 @@
 on the compiler command line.
 .Ss COMPRESSION
 .Nm
-supports a very basic form compression.
+supports a very basic form of compression.
 .Nm
 will serve the requested file postpended with
 .Dq Pa .gz
Index: bozohttpd.h
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.h,v
retrieving revision 1.38
diff -u -r1.38 bozohttpd.h
--- bozohttpd.h 28 Oct 2015 09:20:15 -0000      1.38
+++ bozohttpd.h 12 Dec 2015 05:17:11 -0000
@@ -241,11 +241,13 @@
 /* ssl-bozo.c */
 #ifdef NO_SSL_SUPPORT
 #define bozo_ssl_set_opts(w, x, y)     do { /* nothing */ } while (0)
+#define bozo_ssl_set_ciphers(x, y)     do { /* nothing */ } while (0)
 #define bozo_ssl_init(x)               do { /* nothing */ } while (0)
 #define bozo_ssl_accept(x)             (0)
 #define bozo_ssl_destroy(x)            do { /* nothing */ } while (0)
 #else
 void   bozo_ssl_set_opts(bozohttpd_t *, const char *, const char *);
+void   bozo_ssl_set_ciphers(bozohttpd_t *, const char *);
 void   bozo_ssl_init(bozohttpd_t *);
 int    bozo_ssl_accept(bozohttpd_t *);
 void   bozo_ssl_destroy(bozohttpd_t *);
Index: main.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/main.c,v
retrieving revision 1.10
diff -u -r1.10 main.c
--- main.c      29 Nov 2015 15:26:10 -0000      1.10
+++ main.c      12 Dec 2015 05:17:11 -0000
@@ -111,6 +111,7 @@
        bozo_warn(httpd,
                "   -x index\t\tchange default `index.html' file name");
 #ifndef NO_SSL_SUPPORT
+       bozo_warn(httpd, "   -z ciphers\t\tspecify SSL ciphers");
        bozo_warn(httpd,
                "   -Z cert privkey\tspecify path to server certificate"
                        " and private key file\n"
@@ -145,7 +146,7 @@
         */

        while ((c = getopt(argc, argv,
-           "C:EHI:L:M:P:S:U:VXZ:bc:defhi:np:st:uv:x:")) != -1) {
+           "C:EHI:L:M:P:S:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
                switch (c) {

                case 'L':
@@ -187,6 +188,16 @@
                case 'S':

bozo_set_pref(&prefs, "server software",optarg);

                        break;
+
+               case 'z':
+#ifdef NO_SSL_SUPPORT

+ bozo_err(&httpd, 1, "ssl support is notenabled");

+                       /* NOT REACHED */
+#else
+                       bozo_ssl_set_ciphers(&httpd, optarg);
+                       break;
+#endif /* NO_SSL_SUPPORT */
+
                case 'Z':
 #ifdef NO_SSL_SUPPORT

bozo_err(&httpd, 1, "ssl support is notenabled");

Index: ssl-bozo.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/ssl-bozo.c,v
retrieving revision 1.18
diff -u -r1.18 ssl-bozo.c
--- ssl-bozo.c  17 Jul 2014 06:27:52 -0000      1.18
+++ ssl-bozo.c  12 Dec 2015 05:17:11 -0000
@@ -48,6 +48,10 @@
 #define USE_ARG(x)     /*LINTED*/(void)&(x)
 #endif

+#ifndef BOZO_SSL_CIPHERS

+#define BOZO_SSL_CIPHERS"-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

+#endif
+
 /* this structure encapsulates the ssl info */
 typedef struct sslinfo_t {
        SSL_CTX                 *ssl_context;
@@ -55,6 +59,7 @@
        SSL                     *bozossl;
        char                    *certificate_file;
        char                    *privatekey_file;
+       char                    *ciphers;
 } sslinfo_t;

 /*
@@ -196,6 +201,15 @@
        sslinfo->ssl_method = SSLv23_server_method();
        sslinfo->ssl_context = SSL_CTX_new(sslinfo->ssl_method);

+       SSL_CTX_set_options(sslinfo->ssl_context,
+           SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+
+       if (!SSL_CTX_set_cipher_list(sslinfo->ssl_context,
+           sslinfo->ciphers ? sslinfo->ciphers : BOZO_SSL_CIPHERS))
+               bozo_ssl_err(httpd, EXIT_FAILURE,
+                   "Error setting cipher list '%s'",
+                   sslinfo->ciphers);
+
        if (NULL == sslinfo->ssl_context)
                bozo_ssl_err(httpd, EXIT_FAILURE,
                    "SSL context creation failed");
@@ -261,6 +275,7 @@
                if (sslinfo == NULL)
                        bozo_err(httpd, 1, "sslinfo allocation failed");
                httpd->sslinfo = sslinfo;
+               sslinfo->ciphers = NULL;
        }
        sslinfo->certificate_file = strdup(cert);
        sslinfo->privatekey_file = strdup(priv);
@@ -271,6 +286,23 @@
                httpd->bindport = strdup("https");
 }

+void
+bozo_ssl_set_ciphers(bozohttpd_t *httpd, const char *ciphers)
+{
+       sslinfo_t *sslinfo = httpd->sslinfo;
+
+       if (sslinfo == NULL) {
+               sslinfo = bozomalloc(httpd, sizeof(*sslinfo));
+               if (sslinfo == NULL)
+                       bozo_err(httpd, 1, "sslinfo allocation failed");
+               httpd->sslinfo = sslinfo;
+       }
+       if ((sslinfo->ciphers = strdup(ciphers)) == NULL)
+               bozo_err(httpd, 1, "cipher list allocation failed");
+       debug((httpd, DEBUG_NORMAL, "using ciphers: %s",
+               sslinfo->ciphers));
+}
+
 #endif /* NO_SSL_SUPPORT */

 int

References:
- Re: Disable SSLv3 and set cipher list for bozohttpd
  - From: Christos Zoulas
- Re: Disable SSLv3 and set cipher list for bozohttpd
  - From: Kamil Rytarowski

Prev by Date: Re: Disable SSLv3 and set cipher list for bozohttpd
Next by Date: Lightweight support for instruction RNGs
Previous by Thread: Re: Disable SSLv3 and set cipher list for bozohttpd
Next by Thread: Re: Disable SSLv3 and set cipher list for bozohttpd
Indexes:

Home | Main Index | Thread Index | Old Index