Add flag to set cipher suite preferences on a TLS session #1020
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ArnoStiefvater
previously approved these changes
Feb 3, 2022
ArnoStiefvater
force-pushed
the
dh-primes
branch
from
7c7788e
to
b263c44
Compare
nichtsfrei
approved these changes
Feb 7, 2022
…ble for setting cipher suite preferences on a TLS session
…TY_FLAGS, as required for each case.
the handshake and return -2 to allow caller functions to handle this especial case.
…wer prime bits number. For this, use the new bit flag variable.
ArnoStiefvater
force-pushed
the
dh-primes
branch
from
b263c44
to
634c8c0
Compare
ArnoStiefvater
approved these changes
Feb 8, 2022
mergify bot
pushed a commit
that referenced
this pull request
Feb 8, 2022
* Add the definitions to set preferences which can't be set via the priority string * Extend open_stream_conenction_ext() to receive the new bit flag variable for setting cipher suite preferences on a TLS session * Forward the flag variable to set the TLS preferences or use NO_PRIORITY_FLAGS, as required for each case. * Catch the GNUTLS_E_DH_PRIME_UNACCEPTABLE error during the handshake and return -2 to allow caller functions to handle this especial case. * Handle the case GNUTLS_E_DH_PRIME_UNACCEPTABLE error. Retry with a lower prime bits number. For this, use the new bit flag variable. What: Currently, when the scanner opens a TLS session, cipher suite preferences can be set only via the priority string. Other preferences can be set via functions. This PR extends the open_stream_connection_ext() function to accept a flag which allows to set other preferences (e.g. the number of bits, for use in a Diffie-Hellman key exchange) Jira: SC-441 Why: nasl_builtin_find_service.c fails to detect SSL/TLS service because, in this particular case, the server sends a prime of 512 bits, and the client limit is 1008 (set with the NORMAL priority). This PR handles this error and set a new minimum (128) and retries to open the TLS connection. How: sudo openvas-nasl -X -B -d -i $PLUGINSPATH -t TARGET find_service.nasl --kb="Ports/tcp/443=1" --debug-tls=9 [19893] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19893] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:36:31.165: replace key FindService/CnxTime1000/443 -> 45 lib misc-Message: 03:36:31.166: set key Transports/TCP/443 -> 1 lib misc-Message: 03:36:51.279: set key Services/unknown -> 443 With the PR: [19263] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19263] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:19:20.218: [19263] gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). [19263] (1) Note that the security level of the Diffie-Hellman key exchange has been lowered to 128 bits and this may allow decryption of the session data lib misc-Message: 03:37:38.525: replace key FindService/RwTime1000/443 -> 101 lib misc-Message: 03:37:38.525: replace key FindService/tcp/443/get_http -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> lib misc-Message: 03:37:38.525: set key Services/www -> 443 lib misc-Message: 03:37:38.525: replace key Known/tcp/443 -> www lib misc-Message: 03:37:38.525: replace key www/banner/443 -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> (cherry picked from commit 8186bb6)
mergify bot
pushed a commit
that referenced
this pull request
Feb 8, 2022
* Add the definitions to set preferences which can't be set via the priority string * Extend open_stream_conenction_ext() to receive the new bit flag variable for setting cipher suite preferences on a TLS session * Forward the flag variable to set the TLS preferences or use NO_PRIORITY_FLAGS, as required for each case. * Catch the GNUTLS_E_DH_PRIME_UNACCEPTABLE error during the handshake and return -2 to allow caller functions to handle this especial case. * Handle the case GNUTLS_E_DH_PRIME_UNACCEPTABLE error. Retry with a lower prime bits number. For this, use the new bit flag variable. What: Currently, when the scanner opens a TLS session, cipher suite preferences can be set only via the priority string. Other preferences can be set via functions. This PR extends the open_stream_connection_ext() function to accept a flag which allows to set other preferences (e.g. the number of bits, for use in a Diffie-Hellman key exchange) Jira: SC-441 Why: nasl_builtin_find_service.c fails to detect SSL/TLS service because, in this particular case, the server sends a prime of 512 bits, and the client limit is 1008 (set with the NORMAL priority). This PR handles this error and set a new minimum (128) and retries to open the TLS connection. How: sudo openvas-nasl -X -B -d -i $PLUGINSPATH -t TARGET find_service.nasl --kb="Ports/tcp/443=1" --debug-tls=9 [19893] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19893] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:36:31.165: replace key FindService/CnxTime1000/443 -> 45 lib misc-Message: 03:36:31.166: set key Transports/TCP/443 -> 1 lib misc-Message: 03:36:51.279: set key Services/unknown -> 443 With the PR: [19263] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19263] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:19:20.218: [19263] gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). [19263] (1) Note that the security level of the Diffie-Hellman key exchange has been lowered to 128 bits and this may allow decryption of the session data lib misc-Message: 03:37:38.525: replace key FindService/RwTime1000/443 -> 101 lib misc-Message: 03:37:38.525: replace key FindService/tcp/443/get_http -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> lib misc-Message: 03:37:38.525: set key Services/www -> 443 lib misc-Message: 03:37:38.525: replace key Known/tcp/443 -> www lib misc-Message: 03:37:38.525: replace key www/banner/443 -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> (cherry picked from commit 8186bb6)
jjnicola
added a commit
that referenced
this pull request
Feb 8, 2022
…1028) * Add the definitions to set preferences which can't be set via the priority string * Extend open_stream_conenction_ext() to receive the new bit flag variable for setting cipher suite preferences on a TLS session * Forward the flag variable to set the TLS preferences or use NO_PRIORITY_FLAGS, as required for each case. * Catch the GNUTLS_E_DH_PRIME_UNACCEPTABLE error during the handshake and return -2 to allow caller functions to handle this especial case. * Handle the case GNUTLS_E_DH_PRIME_UNACCEPTABLE error. Retry with a lower prime bits number. For this, use the new bit flag variable. What: Currently, when the scanner opens a TLS session, cipher suite preferences can be set only via the priority string. Other preferences can be set via functions. This PR extends the open_stream_connection_ext() function to accept a flag which allows to set other preferences (e.g. the number of bits, for use in a Diffie-Hellman key exchange) Jira: SC-441 Why: nasl_builtin_find_service.c fails to detect SSL/TLS service because, in this particular case, the server sends a prime of 512 bits, and the client limit is 1008 (set with the NORMAL priority). This PR handles this error and set a new minimum (128) and retries to open the TLS connection. How: sudo openvas-nasl -X -B -d -i $PLUGINSPATH -t TARGET find_service.nasl --kb="Ports/tcp/443=1" --debug-tls=9 [19893] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19893] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:36:31.165: replace key FindService/CnxTime1000/443 -> 45 lib misc-Message: 03:36:31.166: set key Transports/TCP/443 -> 1 lib misc-Message: 03:36:51.279: set key Services/unknown -> 443 With the PR: [19263] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19263] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:19:20.218: [19263] gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). [19263] (1) Note that the security level of the Diffie-Hellman key exchange has been lowered to 128 bits and this may allow decryption of the session data lib misc-Message: 03:37:38.525: replace key FindService/RwTime1000/443 -> 101 lib misc-Message: 03:37:38.525: replace key FindService/tcp/443/get_http -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> lib misc-Message: 03:37:38.525: set key Services/www -> 443 lib misc-Message: 03:37:38.525: replace key Known/tcp/443 -> www lib misc-Message: 03:37:38.525: replace key www/banner/443 -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> (cherry picked from commit 8186bb6) Co-authored-by: Juan José Nicola <jjnicola@gmail.com>
jjnicola
added a commit
that referenced
this pull request
Feb 8, 2022
…1029) * Add the definitions to set preferences which can't be set via the priority string * Extend open_stream_conenction_ext() to receive the new bit flag variable for setting cipher suite preferences on a TLS session * Forward the flag variable to set the TLS preferences or use NO_PRIORITY_FLAGS, as required for each case. * Catch the GNUTLS_E_DH_PRIME_UNACCEPTABLE error during the handshake and return -2 to allow caller functions to handle this especial case. * Handle the case GNUTLS_E_DH_PRIME_UNACCEPTABLE error. Retry with a lower prime bits number. For this, use the new bit flag variable. What: Currently, when the scanner opens a TLS session, cipher suite preferences can be set only via the priority string. Other preferences can be set via functions. This PR extends the open_stream_connection_ext() function to accept a flag which allows to set other preferences (e.g. the number of bits, for use in a Diffie-Hellman key exchange) Jira: SC-441 Why: nasl_builtin_find_service.c fails to detect SSL/TLS service because, in this particular case, the server sends a prime of 512 bits, and the client limit is 1008 (set with the NORMAL priority). This PR handles this error and set a new minimum (128) and retries to open the TLS connection. How: sudo openvas-nasl -X -B -d -i $PLUGINSPATH -t TARGET find_service.nasl --kb="Ports/tcp/443=1" --debug-tls=9 [19893] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19893] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:36:31.165: replace key FindService/CnxTime1000/443 -> 45 lib misc-Message: 03:36:31.166: set key Transports/TCP/443 -> 1 lib misc-Message: 03:36:51.279: set key Services/unknown -> 443 With the PR: [19263] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19263] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:19:20.218: [19263] gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). [19263] (1) Note that the security level of the Diffie-Hellman key exchange has been lowered to 128 bits and this may allow decryption of the session data lib misc-Message: 03:37:38.525: replace key FindService/RwTime1000/443 -> 101 lib misc-Message: 03:37:38.525: replace key FindService/tcp/443/get_http -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> lib misc-Message: 03:37:38.525: set key Services/www -> 443 lib misc-Message: 03:37:38.525: replace key Known/tcp/443 -> www lib misc-Message: 03:37:38.525: replace key www/banner/443 -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> (cherry picked from commit 8186bb6) Co-authored-by: Juan José Nicola <jjnicola@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What:
Currently, when the scanner opens a TLS session, cipher suite preferences can be set only via the priority string. Other preferences can be set via functions. This PR extends the open_stream_connection_ext() function to accept a flag which allows to set other preferences (e.g. the number of bits, for use in a Diffie-Hellman key exchange)
Jira: SC-441
Why:
nasl_builtin_find_service.c fails to detect SSL/TLS service because, in this particular case, the server sends a prime of 512 bits, and the client limit is 1008 (set with the NORMAL priority). This PR handles this error and set a new minimum (128) and retries to open the TLS connection.
How:
sudo openvas-nasl -X -B -d -i $PLUGINSPATH -t
TARGETfind_service.nasl --kb="Ports/tcp/443=1" --debug-tls=9With the PR:
Checklist: