Add support for support TLSv1.3 ciphersuites as for #4769

[evilaliv3]

See reference ticket: #4769 where this patch was previously discussed

Changes made in this PR

• Removed TLSv1.2 and only TLSv1.3 is allowed
• SSLSessionTickets is now off ( Read this post for details)
• Because of only TLSv1.3 we don't have to mention cipher order

How to test?

• Create a production instance with self signed certificate
• make build-debs in this branch
• scp the securedrop-app-code debian package and install on the app server.
• Verify TLS still works and also you can check that only TLSv1.3 is allowed.

Output from testssl script

 localhost:443 appears to support TLS 1.3 ONLY. You better use --openssl=<path_to_openssl_supporting_TLS_1.3>                                                                                      
 Type "yes" to proceed and accept all scan problems --> yes                                                                                                                                        
 Service detected:       HTTP                                                                                                                                                                      
                                                                                                                                                                                                   
                                                                                                                                                                                                   
 Testing protocols via sockets except NPN+ALPN                                                                                                                                                     
                                                                                                                                                                                                   
 SSLv2      not offered (OK)                                                                                                                                                                       
 SSLv3      not offered (OK)                                                                                                                                                                       
 TLS 1      not offered                                                                                                                                                                            
 TLS 1.1    not offered                                                                                                                                                                            
 TLS 1.2    not offered                                                                                                                                                                            
 TLS 1.3    offered (OK): final                                                                                                                                                                    
 NPN/SPDY   not offered                                                                                                                                                                            
 ALPN/HTTP2 not offered                                                                                                                                                                            
                                                                                                                                                                                                   
 Testing cipher categories                                                                                                                                                                         
                                                                                                                                                                                                   
 NULL ciphers (no encryption)                      not offered (OK)                                                                                                                                
 Anonymous NULL Ciphers (no authentication)        not offered (OK)                                                                                                                                
 Export ciphers (w/o ADH+NULL)                     not offered (OK)                                                                                                                                
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)                                                                                                                                
 Triple DES Ciphers / IDEA                         not offered                                                                                                                                     
 Obsoleted CBC ciphers (AES, ARIA etc.)            not offered                                                                                                                                     
 Strong encryption (AEAD ciphers) with no FS       not offered                                                                                                                                     
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)        

 Testing server's cipher preferences                                                                                                                                                      [104/436]
                                                                                                                                                                                                   
 Has server cipher order?     no (TLS 1.3 only)
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) (limited sense as client will pick)
 Cipher per protocol

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 - 
SSLv3
 - 
TLSv1
 - 
TLSv1.1
 - 
TLSv1.2
 - 
TLSv1.3 (no server order, thus listed by strength)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                              
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                              


 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 

 FS is offered (OK)           TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448 


 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "supported versions/#43" "key share/#51" "server name/#0" "supported_groups/#10"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID resumption test failed
 TLS clock skew               Random values, no fingerprinting possible 
 Client Authentication        none
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 4096 bits (exponent is 65537)
 Server key usage             --
 Server extended key usage    --
 Serial / Fingerprints        0993A52757660352BF13F2BF45E2654DE4F6AB39 / SHA1 AA0753791CEB3AB1E7B6273377F2E6D2D580E815
                              SHA256 92F83E2F2F6B555EABA2FF54A19E6B3ACB2388B1C36ED3D4C555FE1A7D9B55FA
 Common Name (CN)             www.example.com                                                                                                                                                      
 subjectAltName (SAN)         missing (NOT ok) -- Browsers are complaining                                                                                                                         
 Trust (hostname)             certificate does not match supplied URI (same w/o SNI)                                                                                                               
 Chain of trust               NOT ok (self signed)                                                                                                                                                 
 EV cert (experimental)       no                                                                                                                                                                   
 Certificate Validity (UTC)   3640 >= 60 days (2021-07-19 14:30 --> 2031-07-17 14:30)                                                                                                              
                              >= 10 years is way too long                                                                                                                                          
 ETS/"eTLS", visibility info  not present                                                                                                                                                          
 Certificate Revocation List  --                                                                                                                                                                   
 OCSP URI                     --                                                                                                                                                                   
                              NOT ok -- neither CRL nor OCSP URI provided                                                                                                                          
 OCSP stapling                not offered                                                                                                                                                          
 OCSP must staple extension   --                                                                                                                                                                   
 DNS CAA RR (experimental)    not offered                                                                                                                                                          
 Certificate Transparency     --                                                                                                                                                                   
 Certificates provided        1                                                                                                                                                                    
 Issuer                       www.example.com (Security from SI)                                                                                                                                   
 Intermediate Bad OCSP (exp.) Ok                                                                                                                                                                   
                                                                                                                                                                                                   
                                                                                                                                                                                                   
 Testing HTTP header response @ "/"                                                                                                                                                                
                                                                                                                                                                                                   
 HTTP Status Code           HTTP header reply empty. No HTTP status code.                                                                                                                          
 HTTP Status Code           HTTP header was repeatedly zero due to missing X25519/X448 curves.                                                                                                     
                            OpenSSL >=1.1.0 might help. Skipping complete HTTP header section.                                                                                                     
                                                                                                                                                                                                   
                                                                                                                                                                                                   
 Testing vulnerabilities                                                                                                                                                                           
                                                                                                                                                                                                   
 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension                                                                                                             
 CCS (CVE-2014-0224)                       not vulnerable (OK)                                                                                                                                     
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension                                                                                                        
 ROBOT                                     Server does not support any cipher suites that use RSA key transport                                                                                    
 Secure Renegotiation (RFC 5746)           not vulnerable (OK)                                                                                                                                     
 Secure Client-Initiated Renegotiation     not vulnerable (OK)                                                                                                                                     
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)                                                                                                                                     
 BREACH (CVE-2013-3587)                    First request failed (HTTP header request stalled and was terminated) POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support   
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), TLS 1.3 is the only protocol                                                                                                 
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)                                                                                                                                     
 FREAK (CVE-2015-0204)                     not vulnerable (OK)                                                                                                                                     
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)                     
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services                                                                          
                                           https://censys.io/ipv4?q=92F83E2F2F6B555EABA2FF54A19E6B3ACB2388B1C36ED3D4C555FE1A7D9B55FA could help you to find out                                    
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        not vulnerable (OK)


 Running client simulations (HTTP) via sockets 

 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
 Android 4.4.2                No connection
 Android 5.0.0                No connection
 Android 6.0                  No connection
 Android 7.0 (native)         No connection
 Android 8.1 (native)         No connection
 Android 9.0 (native)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 74 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 79 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 71 (Win 10)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 8 Win 7                   No connection
 IE 8 XP                      No connection
 IE 11 Win 7                  No connection
 IE 11 Win 8.1                No connection
 IE 11 Win Phone 8.1          No connection
 IE 11 Win 10                 No connection
 Edge 15 Win 10               No connection
 Edge 17 (Win 10)             No connection
 Opera 66 (Win 10)            TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Safari 9 iOS 9               No connection
 Safari 9 OS X 10.11          No connection
 Safari 10 OS X 10.12         No connection
 Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Apple ATS 9 iOS 9            No connection
 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8u161                   No connection
 Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
 Java 12.0.1 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
 OpenSSL 1.0.2e               No connection
 OpenSSL 1.1.0l (Debian)      No connection
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Thunderbird (68.3)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)


 Rating (experimental) 

 Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  0 (0)
 Key Exchange     (weighted)  0 (0)
 Cipher Strength  (weighted)  0 (0)
 Final Score                  0
 Overall Grade                T
 Grade cap reasons            Grade capped to T. Issues with the chain of trust (self signed)
                              Grade capped to M. Domain name mismatch

[kushaldas]

Thank you for this PR. I think we should also work/discuss to figure out how to enable this on the systems already provisioned on Focal.

[kushaldas]

While looking at the options to update the existing instances via postinst script of the securedrop-app-code package, I started wondering about what if we stop doing TLS1.2 completely?

Maybe someone running a very old version of Tails will not be able to access it. But, rest should be. Again to access the v3 addresses, people must be running a newer version of Tails. So, that takes care of old version of Tails/Tor problem.

[kushaldas]

Here is a table showing browser support https://docs.w3cub.com/browser_support_tables/tls1-3, we should be okay with all the working Tor Browsers.

[conorsch]

Agreed, the time for 1.3 has come. The change would land here:

securedrop/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf

Lines 19 to 21 in 1a2494d

	# Evaluate support for TLSv1.3 in Tor Browser for Onions, conservatively
	# we'll continue to support TLSv1.2 for now.
	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

I myself haven't tested an HTTPS Onion on TLS 1.3, but based on docs, it appears clear it'll work just fine. We discussed 1.3 support briefly in #5797 (comment), but punted, given the EOL timeline. @evilaliv3, if you're comfortable adding the change here, then perhaps @kushaldas can generate local certs to verify functionality as part of review.

[kushaldas]

May be we can just do this:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off

[evilaliv3]

Thank you @conorsch

@kushaldas : You can find already a commit that applies your full change proposal.

[zenmonkeykstop]

(quick rebase to include some CI fixes for tests to pass)

[kushaldas]

Thank you @conorsch

@kushaldas : You can find already a commit that applies your full change proposal.

Thank you @evilaliv3 . This means we should also do:

• securedrop_app_https_ssl_ciphers: entries in yml file
• Update tests for the above ^^
• Add sed command to the postinst script of the package so that any existing system's apache also gets the same configuration.
• Maybe a test for the above ^^

[evilaliv3]

Thank you @kushaldas, i agree on this. feel free to proceed to integrate the pull request with those aspect as you probably know already how to do it. thank you.

[kushaldas]

While working on the patchset:

[Tue Jul 27 13:15:04.745181 2021] [ssl:info] [pid 134136:tid 123109944466496] AH01914: Configuring server localhost:443 for SSL protocol
[Tue Jul 27 13:15:04.745365 2021] [ssl:emerg] [pid 134136:tid 123109944466496] AH01898: Unable to configure permitted SSL ciphers
[Tue Jul 27 13:15:04.745382 2021] [ssl:emerg] [pid 134136:tid 123109944466496] SSL Library Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match

[kushaldas]

This works:

#SSLCipherSuite TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256
SSLHonorCipherOrder off

[evilaliv3]

Thank you @kushaldas. This is actually pretty strange, let me see if apache uses alternatives names for the same ciphers...

[evilaliv3]

@kushaldas: i think the proper apache2 naming could actually be the following:

SSLCipherSuite: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

[kushaldas]

@kushaldas: i think the proper apache2 naming could actually be the following:

SSLCipherSuite: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

Yes, typo in my sed command :(

[conorsch]

I'll take this for a spin in VMs today and report back with a review!

[conorsch]

Tested in prod VMs with self-signed certs. testssl.sh output is good, and functionality in Tor Browser is A-OK. Migration via postinst modified the apache configs as expected.

[conorsch]

I rebased this as part of review, so CI will run one more time. Fine to merge after!