Bug 61436 - Permissive TLS connection allowed when connecting from localhost
Summary: Permissive TLS connection allowed when connecting from localhost
Status: NEEDINFO
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.27
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-17 08:03 UTC by rubimazaki
Modified: 2017-08-17 09:08 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description rubimazaki 2017-08-17 08:03:37 UTC
When configuring our Apache server to support only TLSv1.2 (multiply checked by external connections to confirm that only that suite is supported) - we succeeded connecting the server with lesser TLSv1 from local host. Our client is based on Python 2.7.6 (no support for TLSv1.2) and will not connect from a remote IP, but DOES succeed from localhost.

Seems like a security hole to us because it allows any third party app to connect via port 443 with the server without it required to authenticate.


Configuration files:

/etc/apache2/httpd.conf
=======================

	WSGIPythonOptimize 0
	WSGIScriptAlias / /opt/asdf/cpmserver/wsgi.py
	WSGIPythonPath /opt/asdf/cpmserver/

	Options -Indexes

	Alias /static/ /opt/asdf/cpmserver/static/
	<Directory /opt/asdf/cpmserver/>
	<Files wsgi.py>
	Order deny,allow
	Allow from all
	</Files>
	</Directory>


	<VirtualHost _default_:443>
	ServerName https://example
	SSLProtocol -all +TLSv1.2
	SSLEngine on
	SSLCertificateFile /opt/asdf/cert/cpm_server.crt
	SSLCertificateKeyFile /opt/asdf/cert/cpm_server.key
	WSGIPassAuthorization On
	WSGIDaemonProcess debug threads=1
	WSGIProcessGroup debug
	</VirtualHost>


/etc/apache2/mods-available/ssl.conf
====================================

   <IfModule mod_ssl.c>

        # Pseudo Random Number Generator (PRNG):
        # Configure one or more sources to seed the PRNG of the SSL library.
        # The seed data should be of good random quality.
        # WARNING! On some platforms /dev/random blocks if not enough entropy
        # is available. This means you then cannot use the /dev/random device
        # because it would lead to very long connection times (as long as
        # it requires to make more entropy available). But usually those
        # platforms additionally provide a /dev/urandom device which doesn't
        # block. So, if available, use this one instead. Read the mod_ssl User
        # Manual for more details.
        #
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512

        ##
        ##  SSL Global Context
        ##
        ##  All SSL configuration in this context applies both to
        ##  the main server and all SSL-enabled virtual hosts.
        ##

        #
        #   Some MIME-types for downloading Certificates and CRLs
        #
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl .crl

        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase

        #   Inter-Process Session Cache:
        #   Configure the SSL Session Cache: First the mechanism
        #   to use and second the expiring timeout (in seconds).
        #   (The mechanism dbm has known memory leaks and should not be used).
        #SSLSessionCache                 dbm:${APACHE_RUN_DIR}/ssl_scache
        SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
        SSLSessionCacheTimeout  300

        #   Semaphore:
        #   Configure the path to the mutual exclusion semaphore the
        #   SSL engine uses internally for inter-process synchronization.
        #   (Disabled by default, the global Mutex directive consolidates by default
        #   this)
        #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of all available
        #   options.
        #   Enable only secure ciphers:
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

        #   Speed-optimized SSL Cipher configuration:
        #   If speed is your main concern (on busy HTTPS servers e.g.),
        #   you might want to force clients to specific, performance
        #   optimized ciphers. In this case, prepend those ciphers
        #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
        #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
        #   (as in the example below), most connections will no longer
        #   have perfect forward secrecy - if the server's key is
        #   compromised, captures of past or future traffic must be
        #   considered compromised, too.
        #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
        #SSLHonorCipherOrder on

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        SSLProtocol -all +TLSv1.2

        #   Allow insecure renegotiation with clients which do not yet support the
        #   secure renegotiation protocol. Default: Off
        #SSLInsecureRenegotiation on

        #   Whether to forbid non-SNI clients to access name based virtual hosts.
        #   Default: Off
        #SSLStrictSNIVHostCheck On

   </IfModule>
Comment 1 Stefan Eissing 2017-08-17 08:33:57 UTC
When you run

> openssl s_client -tls1_1 -connect localhost:443

what is the result? Is there a difference if you change the protocol config to

SSLProtocol +TLSv1.2

? Thanks!
Comment 2 rubimazaki 2017-08-17 08:46:46 UTC
with:
SSLProtocol -all +TLSv1.2 

running:
openssl s_client -tls1_1 -connect localhost:443

outputs:

CONNECTED(00000003)
140635205007008:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version:s3_pkt.c:1262:SSL alert number 70
140635205007008:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1502959441
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
Comment 3 rubimazaki 2017-08-17 08:50:40 UTC
When setting:

SSLProtocol +TLSv1.2

I get the same results:

> openssl s_client -tls1_1 -connect localhost:443

CONNECTED(00000003)
139898031838880:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version:s3_pkt.c:1262:SSL alert number 70
139898031838880:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1502959693
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
Comment 4 Stefan Eissing 2017-08-17 09:03:46 UTC
Thanks, SSLProtocol is supposed to be the same, just wanted to make sure.

Thanks for the output, it shows that the handshake failed, as it should. I assume that if you use -tls1_2 it will succeed and leave the connection open until you ^C.

Seems to me that the simplest explanation is that your python is linked against a modern openssl and speaks TLSv1.2 when needed.
Comment 5 rubimazaki 2017-08-17 09:08:11 UTC
Okay,

Please allow us to check this before closing the bug report.

Thanks.