Python Language Summit 2017: State of the ssl module

Transcript

1. State of the ssl module Python Language Summit, PyCon US

   2017 Christian Heimes [email protected] / @ChristianHeimes 2017-05-17

2. 2 Who am I • 'expert' for ssl and hashlib

   module • PEP 452: API for Cryptographic Hash Functions v2.0 • PEP 456: Secure and interchangeable hash algorithm • PEP 543: Unified TLS API (Cory Benfield) • maintainer of Coverity Scan • Security Engineer at Red Hat

3. 3 Agenda • default cipher suites • TLS 1.3 •

   match_hostname() • supported OpenSSL / LibreSSL versions • PEP 543: Unified TLS API • planned features / deprecations

4. Detour: hashlib module

5. 5 SHA-1 is dead • SHAppenning 2016-10-08 • SHAttered 2017-03-23

   • first public collision by Google

6. 6 Python 3.6 improvements • blake2 • blake2s, blake2b •

   SHA-3 (Keccak) • sha3-224, sha3-256, sha3-384, sha3-512 • shake128, shake256 I received positive feedback from security community.

7. 7 SHA-ttered

8. default cipher suites

9. 9 Cipher suites • TLS version • key exchange/agreement (RSA,

   DH, ECDH, ephemeral) • certificate (RSA, EC-DSA, DSA) • bulk encryption (3DES, AES, ChaCha20...) • mode (CBC, GCM, Poly1305…) • PRF / MAC (MS5, SHA1, SHA256, SHA384) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

10. 10 History lesson • In the past, OpenSSL's default suites

    were awful • Python started to define custom cipher selection • Nowadays OpenSSL is better • Python's override re-enables insecure ciphers • #27850: Remove 3DES from cipher list (CVE- 2016-2183)

11. 11 Proposal • Use OpenSSL `HIGH` • exclude insecure ciphers

    • rely on / benefit from OpenSSL updates HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP No more security backports for cipher suite (hopefully)

12. TLS 1.3

13. 13 TLS 1.3 • OpenSSL 1.1.1 (probably) • current master

    implements Draft 20 • 4 weeks ago NSS and Golang had Draft 19 • BPO #29136 required for TLS 1.3 • OP_NO_TLSv1_3 • new cipher suites • TLS_AES_128_GCM_SHA256 • TLS_AES_256_GCM_SHA384 • TLS_CHACHA20_POLY1305_SHA256

14. ssl.match_hostname()

15. 15 Hostnames in X.509 certificates Certificate: Data: Issuer: C=IL, O=StartCom

    Ltd., ... Validity Not Before: Feb 2 08:35:11 2015 GMT Not After : Feb 1 21:03:59 2017 GMT Subject: C=US, ST=Oregon, L=Beaverton, O=Python Software Foundation, CN=*.python.org X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.python.org, DNS:python.org Certificate: Data: Issuer: C=IL, O=StartCom Ltd., ... Validity Not Before: Feb 2 08:35:11 2015 GMT Not After : Feb 1 21:03:59 2017 GMT Subject: C=US, ST=Oregon, L=Beaverton, O=Python Software Foundation, CN=*.python.org X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.python.org, DNS:python.org

16. 16 Bug #0 OpenSSL usedto have no function to hostname

    against certificate. • ssl.match_hostname() added in Python 3.2 • backported to 2.7.9

17. 17 Bug #1 (Issue #12000) Use CN when subject alternative

    name field has no dNSName entries. • fixed in 3.3

18. 18 Bug #2 (CVE-2013-2099) Multiple wildcards cause Denial-of-Service • *.*.*.*.*.example.org

    • caused by regular expression engine • fixed in 3.3.3

19. 19 Bug #3 (Issue #17997) Use RFC 6125 instead of

    outdated RFC 2818 • only one left-most wildcard is allowed • *.*.python.org or www.*.python.org are forbidden • fixed in 3.3.3

20. 20 Bug #4 (Issue #17997) Fix wildcard matching for internationalized

    domain names (IDN) • über.python.org → xn--ber-goa.python.org • fixed in 3.3.3 • Mozilla NSS / Firefox and OpenSSL 1.0.2dev were affected, too.

21. 21 Bug #5 (Issue #18709) NULL bytes inside subjectAltNames general

    names, e.g. www.python.org\x00evil.com • fixed in 3.4 • Ruby and PHP were also affected

22. 22 Bug #6 (too many CVEs) Python does not check

    hostname by default • PEP 476 (Alex Gaynor) • fixed for httplib/urllib in 3.4 and 2.7.9 • still not fixed for imap, pop, smtp etc.

23. 23 Bug #7 (issue #17305) Python does not support IDNA

    2008 • critical for German domains like straße.de • IDNA 2003: strasse.de • Chrome, Edge, Konqueror • IDNA 2008: xn--strae-oqa.de • Firefox • still not fixed

24. 24 Bug #8 (issue #30141) OpenSSL auto-handshake for non-blocking memory

    IO may not validate hostname • do_handshake=False • still not fixed

25. 25 More bugs... • hostname verification occurs after client cert

    auth • may leak client cert data to malicious server • validation error does not terminate handshake • peer does not see proper ALERT

26. 26 Solution • Let OpenSSL perform verification • X509_VERIFY_PARAM_set1_host() •

    X509_VERIFY_PARAM_set1_ip() • Requires recent version • OpenSSL 1.0.2+ • LibreSSL 2.5 • IDNA 2008 must be addressed separately

27. Supported Versions

28. 28 OpenSSL • OpenSSL 1.0.2 LTS • Debian stable-bpo •

    RHEL 7.4 (beta) • Ubuntu 16.04 LTS • 1.0.1 no longer supported by upstream • Debian Stable • RHEL <= 7.3 • Ubuntu 14.04 LTS

29. 29 LibreSSL • BSD fork of OpenSSL 1.0.1 + API

    backports • mostly OpenSSL 1.0.2 compatible with features removed ssl module will work with LibreSSL if and only if LibreSSL stays 100% compatible to OpenSSL.

30. PEP 543

31. 31 PEP 543: Unified TLS API • PEP by Cory

    Benfield • Abstraction of • OpenSSL • SecureTransport (macOS) • SChannel (Windows) • NSS (Firefox) • BDFL delegate?

32. Future

33. 33 Deprecations • OpenSSL < 1.0.2 • ssl.wrap_socket() SSLContext →

    • ssl.match_hostname() OpenSSL → • ssl.PROTOCOL_* • PROTOCOL_TLS_CLIENT • PROTOCO_TLS_SERVER • ssl.CLIENT_AUTH / SERVER_AUTH • ssl.OP_NO_* ctx.set_version_range() →

34. 34 Planned improvements • client SSLContext() secure by default •

    verify cert & check hostname • no certs loaded by default • hostname checking / IDNA encoding • Better reporting • CAPI PyCapsule (for Steve) • static / dynamic linking?

35. 35 Proposed improvements • cert validation callback • X509 type

    • X509_STORE_CTX type • SPKI (cert pinning) • OCSP stapling verification • minimal engine support (client certs) • SCT for certificate transparency • AIA chasing to fetch intermediates

36. Questions? [email protected] @ChristianHeimes

37. THANK YOU plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews