Skip to content

Add "honor_server_ciphers" ssl context option to mitigate BEAST #490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add "honor_server_ciphers" ssl context option to mitigate BEAST #490

wants to merge 1 commit into from

Conversation

rdlowrey
Copy link
Contributor

Mitigating the BEAST TLS Vulnerability

The BEAST TLS attack vector was first publicized in 2011. Mitigating this attack is relatively simple: servers have only to prioritize ciphers that aren't susceptible to the attack. However, unless instructed otherwise, OpenSSL uses the client's preferences when negotiating the cipher. To prevent nefarious clients from prioritizing susceptible ciphers servers must configure SSL sessions using OpenSSL's SSL_OP_CIPHER_SERVER_PREFERENCE context option.

Proposed Solution

This patch adds a new boolean ssl context option, "honor_server_ciphers", to mitigate BEAST vulnerabilities in encrypted stream servers.

Suggested Usage
<?php
$bindTo = 'tls://127.0.0.1:12345';
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$ctx = stream_context_create(['ssl' => [
    'local_cert' => '/path/to/cert.pem',
    'max_handshake_rate' => 0,
    'disable_compression' => TRUE,
    'ciphers' => '<place your desired cipher order here>',
    'honor_server_ciphers' => TRUE
]]);
$server = stream_socket_server($bindTo, $errNo, $errStr, $flags, $ctx);
How Problematic Is This Really?

The 2011 BEAST attack8 targets a 2004 vulnerability in TLS 1.0 and earlier protocol versions, previously thought to be impractical to exploit. For a period of time, server-side mitigation of the BEAST attack was considered appropriate, even though the weakness is on the client side. Unfortunately, to mitigate server-side requires RC4, which we now recommend to disable. Because of that, and because the BEAST attack is by now largely mitigated client-side, we no longer recommend server-side mitigation.

The impact of a successful BEAST attack is similar to that of session hijacking.

-- SSL Labs Best Practices Report (September 2013)

Other Considerations

It's not really possible to include tests for this functionality without adding new functions to retrieve the negotiated cipher from an encrypted socket stream. I don't generally feel like creating functions solely for use in testing things is a good idea, so there are no .phpt tests included. I may PR a new function to get meta information about the SSL session in the future, though. In such a case I'll go ahead and add tests for this scenario.

@php-pulls
Copy link

Comment on behalf of nikic at php.net:

Thanks, merged: 9d57243

@php-pulls php-pulls closed this Oct 12, 2013
@nikic
Copy link
Member

nikic commented Oct 12, 2013

Oops, accidentally closed the wrong PR. Can you please reopen it?

@rdlowrey
Copy link
Contributor Author

@nikic yeah, no problem -- I'll reopen it when I get back to a computer.

@kaplanlior
Copy link
Contributor

@rdlowrey ping about reopening this PR...

@rdlowrey
Copy link
Contributor Author

@kaplanlior Github wouldn't allow me to reopen this PR, so I created a new one here: PR 493

@dunglas dunglas mentioned this pull request Sep 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rdlowrey @php-pulls @nikic @kaplanlior