Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add flag to set cipher suite preferences on a TLS session (backport #1020) #1028

Merged
merged 1 commit into from
Feb 8, 2022

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Feb 8, 2022

This is an automatic backport of pull request #1020 done by Mergify.


Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

  • @Mergifyio refresh will re-evaluate the rules
  • @Mergifyio rebase will rebase this PR on its base branch
  • @Mergifyio update will merge the base branch into this PR
  • @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

  • look at your merge queues
  • generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com

* Add the definitions to set preferences which can't be set via the priority string

* Extend open_stream_conenction_ext() to receive the new bit flag variable for setting cipher suite preferences on a TLS session

* Forward the flag variable to set the TLS preferences or use NO_PRIORITY_FLAGS, as required for each case.

* Catch the GNUTLS_E_DH_PRIME_UNACCEPTABLE error during
the handshake and return -2 to allow caller functions to handle this especial case.

* Handle the case GNUTLS_E_DH_PRIME_UNACCEPTABLE error. Retry with a lower prime bits number. For this, use the new bit flag variable.

What:
Currently, when the scanner opens a TLS session, cipher suite preferences can be set only via the priority string. Other preferences can be set via functions. This PR extends the open_stream_connection_ext() function to accept a flag which allows to set other preferences (e.g. the number of bits, for use in a Diffie-Hellman key exchange)

Jira: SC-441

Why:
nasl_builtin_find_service.c fails to detect SSL/TLS service because, in this particular case, the server sends a prime of 512 bits, and the client limit is 1008 (set with the NORMAL priority). This PR handles this error and set a new minimum (128) and retries to open the TLS connection.

How:
sudo openvas-nasl -X -B -d -i $PLUGINSPATH -t TARGET find_service.nasl --kb="Ports/tcp/443=1" --debug-tls=9

[19893] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice
[19893] (2) Received a prime of 512 bits, limit is 1008
lib  misc-Message: 03:36:31.165: replace key FindService/CnxTime1000/443 -> 45
lib  misc-Message: 03:36:31.166: set key Transports/TCP/443 -> 1
lib  misc-Message: 03:36:51.279: set key Services/unknown -> 443
With the PR:

[19263] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice
[19263] (2) Received a prime of 512 bits, limit is 1008
lib  misc-Message: 03:19:20.218: [19263] gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
[19263] (1) Note that the security level of the Diffie-Hellman key exchange has been lowered to 128 bits and this may allow decryption of the session data
lib  misc-Message: 03:37:38.525: replace key FindService/RwTime1000/443 -> 101
lib  misc-Message: 03:37:38.525: replace key FindService/tcp/443/get_http -> HTTP/1.0 200 OK
Date: Sat, 01 Jan 2011 00:00:53 GMT
Server: Embedded HTTP Server.
Connection: close
Content-Length: 107
Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT
Content-Type: text/html

<HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML>

lib  misc-Message: 03:37:38.525: set key Services/www -> 443
lib  misc-Message: 03:37:38.525: replace key Known/tcp/443 -> www
lib  misc-Message: 03:37:38.525: replace key www/banner/443 -> HTTP/1.0 200 OK
Date: Sat, 01 Jan 2011 00:00:53 GMT
Server: Embedded HTTP Server.
Connection: close
Content-Length: 107
Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT
Content-Type: text/html

<HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML>

(cherry picked from commit 8186bb6)
@mergify mergify bot requested a review from a team as a code owner February 8, 2022 08:27
@jjnicola jjnicola merged commit f64afcb into stable Feb 8, 2022
@jjnicola jjnicola deleted the mergify/bp/stable/pr-1020 branch February 8, 2022 12:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants