Add: flag to set cipher suite preferences on a TLS session (backport #1020) #1029
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?s=60&v=4){kind=small}
* Add the definitions to set preferences which can't be set via the priority string * Extend open_stream_conenction_ext() to receive the new bit flag variable for setting cipher suite preferences on a TLS session * Forward the flag variable to set the TLS preferences or use NO_PRIORITY_FLAGS, as required for each case. * Catch the GNUTLS_E_DH_PRIME_UNACCEPTABLE error during the handshake and return -2 to allow caller functions to handle this especial case. * Handle the case GNUTLS_E_DH_PRIME_UNACCEPTABLE error. Retry with a lower prime bits number. For this, use the new bit flag variable. What: Currently, when the scanner opens a TLS session, cipher suite preferences can be set only via the priority string. Other preferences can be set via functions. This PR extends the open_stream_connection_ext() function to accept a flag which allows to set other preferences (e.g. the number of bits, for use in a Diffie-Hellman key exchange) Jira: SC-441 Why: nasl_builtin_find_service.c fails to detect SSL/TLS service because, in this particular case, the server sends a prime of 512 bits, and the client limit is 1008 (set with the NORMAL priority). This PR handles this error and set a new minimum (128) and retries to open the TLS connection. How: sudo openvas-nasl -X -B -d -i $PLUGINSPATH -t TARGET find_service.nasl --kb="Ports/tcp/443=1" --debug-tls=9 [19893] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19893] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:36:31.165: replace key FindService/CnxTime1000/443 -> 45 lib misc-Message: 03:36:31.166: set key Transports/TCP/443 -> 1 lib misc-Message: 03:36:51.279: set key Services/unknown -> 443 With the PR: [19263] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19263] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:19:20.218: [19263] gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). [19263] (1) Note that the security level of the Diffie-Hellman key exchange has been lowered to 128 bits and this may allow decryption of the session data lib misc-Message: 03:37:38.525: replace key FindService/RwTime1000/443 -> 101 lib misc-Message: 03:37:38.525: replace key FindService/tcp/443/get_http -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> lib misc-Message: 03:37:38.525: set key Services/www -> 443 lib misc-Message: 03:37:38.525: replace key Known/tcp/443 -> www lib misc-Message: 03:37:38.525: replace key www/banner/443 -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> (cherry picked from commit 8186bb6)
ArnoStiefvater
approved these changes
Feb 8, 2022
jjnicola
changed the title
jjnicola
approved these changes
Feb 8, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an automatic backport of pull request #1020 done by Mergify.
Mergify commands and options
More conditions and actions can be found in the documentation.
You can also trigger Mergify actions by commenting on this pull request:
@Mergifyio refreshwill re-evaluate the rules@Mergifyio rebasewill rebase this PR on its base branch@Mergifyio updatewill merge the base branch into this PR@Mergifyio backport <destination>will backport this PR on<destination>branchAdditionally, on Mergify dashboard you can:
Finally, you can contact us on https://mergify.com