-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cherokee Ignores SSL/TLS Protocols Supported by OpenSSL #1255
Labels
Comments
@rakuco you can choose which ciphers and protocols are supported at runtime. Is you statement here that it should not show the other options iff OpenSSL does not support them? I consider not supporting TLS 1.3 a separate issue. |
rdratlos
pushed a commit
to rdratlos/cherokee-webserver
that referenced
this issue
Apr 3, 2021
SSL/TLS protocols are hardcoded in Cherokee. Neither at build time nor at run- time SSL/TLS protocols that are supported by the OpenSSL back-end are being checked. This may lead to the dangerous situation that OpenSSL encrypts HTTPS traffic using an SSL/TLS encryption, which is not explicitly supported by Cherokee. Current Cherokee for example does not support TLS protocol version 1.3, which requires ciphersuites for encryption that cannot be configured by Cherokee. More and more OS distribution maintainers now control security of their OpenSSL packages by deactivating unsafe SSL/TLS protocols at build time. For system administrators it is very difficult to identify the root cause for rejected HTTPS communication requests due to suddenly unavailable SSL/TLS protocols. OpenSSL provides only pretty cryptic notifications. This patch implements following improvements: - Check SSL/TLS protocols supported by OpenSSL at build time - configure Displays and logs supported protocols - Abort build with error message if unsupported protocols are detected - Check SSL/TLS protocols supported by the actual OpenSSL back-end at runtime - Log an error message if unsupported protocols are detected - Command-line option -i provides more detailed information about OpenSSL + Build version and actually used version + Supported SSL/TLS protocols + Maintainer deactivated protocols - Make SSL/TLS protocol information available to Cherokee Admin scripts - Fix Cherokee Admin Advanced page to outline support of SSL/TLS protocols: + Mark deactivated protocols + Warn users if SSL/TLS protocols are detected that are not supported by Cherokee + Inform users if OpenSSL/libssl is not supported at all Fixes: cherokee#1255 Signed-off-by: Thomas Reim <reimth@gmail.com>
With above fix cherokee -i now correctly reports actual availability of SSL/TLS protocols:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SSL/TLS protocols are hardcoded in Cherokee. Neither at build time nor at run-time SSL/TLS protocols that are supported by the OpenSSL back-end are being checked. This may lead to the dangerous situation that OpenSSL encrypts HTTPS traffic using an SSL/TLS encryption, which is not explicitly supported by Cherokee. Current Cherokee for example does not support TLS protocol version 1.3, which requires ciphersuites for encryption that cannot be configured by Cherokee.
More and more OS distribution maintainers now control security of their OpenSSL packages by deactivating unsafe SSL/TLS protocols at build time. For system administrators it is very difficult to identify the root cause for rejected HTTPS communication requests due to suddenly unavailable SSL/TLS protocols. OpenSSL provides only pretty cryptic notifications.
The text was updated successfully, but these errors were encountered: