Skip to content

Honor cipher order #493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Honor cipher order #493

wants to merge 2 commits into from

Conversation

rdlowrey
Copy link
Contributor

Mitigating the BEAST TLS Vulnerability

The BEAST TLS attack vector was first publicized in 2011. Mitigating this attack is relatively simple: servers have only to prioritize ciphers that aren't susceptible to the attack. However, unless instructed otherwise, OpenSSL uses the client's preferences when negotiating the cipher. To prevent nefarious (or naive) clients from prioritizing susceptible ciphers servers must configure SSL sessions using OpenSSL's SSL_OP_CIPHER_SERVER_PREFERENCE context option.

Proposed Solution

This patch adds a new boolean ssl context option, "honor_cipher_order", to mitigate BEAST vulnerabilities in encrypted stream servers.

Suggested Usage
<?php
$bindTo = 'tls://127.0.0.1:12345';
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$ctx = stream_context_create(['ssl' => [
    'local_cert' => '/path/to/cert.pem',
    'ciphers' => '<place your ordered cipher list here>',
    'honor_cipher_order' => TRUE
]]);
$server = stream_socket_server($bindTo, $errNo, $errStr, $flags, $ctx);
How Problematic Is This Really?

The 2011 BEAST attack8 targets a 2004 vulnerability in TLS 1.0 and earlier protocol versions, previously thought to be impractical to exploit. For a period of time, server-side mitigation of the BEAST attack was considered appropriate, even though the weakness is on the client side. Unfortunately, to mitigate server-side requires RC4, which we now recommend to disable. Because of that, and because the BEAST attack is by now largely mitigated client-side, we no longer recommend server-side mitigation.

The impact of a successful BEAST attack is similar to that of session hijacking.

-- SSL Labs Best Practices Report (September 2013)

Other Considerations

It's not really possible to include tests for this functionality without adding new functions to retrieve the negotiated cipher from an encrypted socket stream. I don't generally feel like creating functions solely for use in testing things is a good idea, so there are no .phpt tests included. I may PR a new function to get meta information about the SSL session in the future, though. In such a case I'll go ahead and add tests for this scenario.

@rdlowrey rdlowrey mentioned this pull request Oct 15, 2013
Closed
@rdlowrey
Copy link
Contributor Author

The second commit in the PR history changes the context option name to honor_cipher_order. This change was made to match up with the naming used by Apache (SSLHonorCipherOrder) and node.js (honorCipherOrder)

@rdlowrey
Copy link
Contributor Author

Travis reports the following failed test:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Specific crypto method for ssl:// transports. [ext/openssl/tests/streams_crypto_method.phpt]
=====================================================================

This test has nothing to do with the code involved in this PR and I've been unable to duplicate the failure locally.

@m6w6
Copy link
Contributor

m6w6 commented Oct 17, 2013

I'll check that failing test.

Regarding a test for this feature, would it be possible to write a test that uses the openssl CLI?
Even if the test runs on limited platforms (where openssl is in PATH) it would be beneficial.

@rdlowrey
Copy link
Contributor Author

@m6w6 Sorry for being off-grid for the last month -- real life intervened. I'll work on getting this tested and locked down for merge.

@rdlowrey
Copy link
Contributor Author

Closing as this PR is now part of [RFC] Improved TLS Defaults

@rdlowrey rdlowrey closed this Feb 11, 2014
@rdlowrey rdlowrey deleted the honor_cipher_order branch February 14, 2014 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rdlowrey @m6w6