From db78fe45898a6d03727f8db68642bfebdfc10bf8 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 4 Jan 2012 17:15:50 -0500 Subject: Disable SSLv3 when using a not-up-to-date openssl This is to address bug 4822, and CVE-2011-4576. --- src/common/tortls.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index cc805f80ce..22b0e31726 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -64,6 +64,16 @@ #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer") +#if (OPENSSL_VERSION_NUMBER < 0x0090813fL || \ + (OPENSSL_VERSION_NUMBER >= 0x00909000L && \ + OPENSSL_VERSION_NUMBER < 0x1000006fL)) +/* This is a version of OpenSSL before 0.9.8s/1.0.0f. It does not have + * the CVE-2011-4657 fix, and as such it can't use RELEASE_BUFFERS and + * SSL3 safely at the same time. + */ +#define DISABLE_SSL3_HANDSHAKE +#endif + /* We redefine these so that we can run correctly even if the vendor gives us * a version of OpenSSL that does not match its header files. (Apple: I am * looking at you.) @@ -739,16 +749,31 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, result->key = crypto_pk_dup_key(rsa); } -#ifdef EVERYONE_HAS_AES - /* Tell OpenSSL to only use TLS1 */ +#if 0 + /* Tell OpenSSL to only use TLS1. This would actually break compatibility + * with clients that are configured to use SSLv23_method(), so we should + * probably never use it. + */ if (!(result->ctx = SSL_CTX_new(TLSv1_method()))) goto error; -#else +#endif + /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */ if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); + + if ( +#ifdef DISABLE_SSL3_HANDSHAKE + 1 || #endif + SSLeay() < 0x0090813fL || + (SSLeay() >= 0x00909000L && + SSLeay() < 0x1000006fL)) { + /* And not SSL3 if it's subject to CVE-2011-4657. */ + SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3); + } + SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION -- cgit v1.2.3-54-g00ecf From 0a00678e56ec3030b9028a7188f68ab6c10a3fa3 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 4 Jan 2012 21:17:52 -0500 Subject: Add a changes file for bug4822 --- changes/bug4822 | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 changes/bug4822 diff --git a/changes/bug4822 b/changes/bug4822 new file mode 100644 index 0000000000..73f43f0452 --- /dev/null +++ b/changes/bug4822 @@ -0,0 +1,13 @@ + o Major security workaround: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had + a bug (CVE-2011-4576) in which their block cipher padding + included uninitialized data, potentially leaking sensitive + information to any peer with whom they made a SSLv3 + connection. Tor does not use SSL v3 by default, but a hostile + client or server could force an SSLv3 connection in order to + gain information that they shouldn't have been able to get. The + best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or + later). But when building or running with a non-upgraded + OpenSSL, we should instead make sure that the bug can't happen + by disabling SSLv3 entirely. -- cgit v1.2.3-54-g00ecf From 4752b348793f599cbdc93d0503d18def03e45c7a Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Wed, 4 Jan 2012 20:41:28 -0800 Subject: Log at info level when disabling SSLv3 --- src/common/tortls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/common/tortls.c b/src/common/tortls.c index 22b0e31726..d88a59b9c7 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -771,6 +771,12 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, (SSLeay() >= 0x00909000L && SSLeay() < 0x1000006fL)) { /* And not SSL3 if it's subject to CVE-2011-4657. */ + log_info(LD_NET, "Disabling SSLv3 because this OpenSSL version " + "might otherwise be vulnerable to CVE-2011-4657 " + "(compile-time version %08lx (%s); " + "runtime version %08lx (%s))", + OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, + SSLeay(), SSLeay_version(SSLEAY_VERSION)); SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3); } -- cgit v1.2.3-54-g00ecf