DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th January 2016
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 448
Default Relayd as a HTTPS client

I have posted this to misc mailing list 6th January 2016, but no one replied.

Hi,
I am using following configuration to connect to TLS websites:
Chromium <-> relayd as a server <-> privo-
xy <-> relayd as a client <-> hostile Internet
I want to focus on relayd as a client in this mailing list thread.
I want to instruct relayd as a client to only connect using TLS versions 1.1 and 1.2
to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is
, I hope relevant, part of my config /etc/relayd.conf:

Code:
http protocol certKlient {
        tls no cipher-server-preference
        tls no tlsv1.0
        tls  tlsv1.1
        tls  tlsv1.2
        tls ca key "/etc/ssl/private/ca.key" password "domek" # i will change that in   a future
        # i don't use that config to my bank account and other relevant websites
        tls ca cert "/etc/ssl/ca.crt"
        tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256" 
        pass
}

relay  SendReencryptNormal {
        listen on 127.0.0.1 port 7443
        protocol certKlient
        forward with tls to destination
}
The problem is that I can type into terminal something like:

Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3 -no_tls1_1 \
-no_tls1_2
or
Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www  -tls1
and tell Chromium to go to: https://127.0.0.1:44330/
and it will connect using TLS version 1.0.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx: 01000000
Master-Key: EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C 1449AE1CA19C393AD995 \
2FBC7B8023ECD7767D72B47D9B Start Time: 1452113060
Timeout : 300 (sec)
Verify return code: 0 (ok)

I can also go to:
https://www.ssllabs.com/ssltest/viewMyClient.html
and this website also tells me, that I can be connected using TLS version 1.0.

So this is my main problem: I don't want to connect using TLS version 1.0.

What should I add to /etc/relayd.conf to prevent that?
Reply With Quote
  #2   (View Single Post)  
Old 9th January 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

I recommend reporting the problem to bugs@, where it is less likely to be missed. This is because TLS v1.0 and v1.1 are disabled by default, according to relayd.conf(5).

Be sure to include your dmesg when you report the problem, since specific release or system build date of -current may be helpful to anyone trying to assist you.
Reply With Quote
  #3   (View Single Post)  
Old 11th January 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

I note you've posted to bugs@. You did not post a dmesg - no one is likely to examine your bug report without one.

Anyone reading your report does not know your architecture, what releaase/flavor you are using, and if you are using either -stable or -current, they do not know when your system was built so there is no way to know what commits to relayd or underlying libraries are involved.

http://www.openbsd.org/report.html
Reply With Quote
  #4   (View Single Post)  
Old 11th January 2016
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 174
Default

I'm doing something similar without privoxy in the middle. I think it's working here on a Dec 05 snapshot.

My tls options are formatted like this:
tls { no tlsv1.0, no tlsv1.1, ciphers "HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4" }

Relayd can't connect to a site that is only accepting up to tls v1.0 (as confirmed with firefox).

Tim.

EDIT:
On second thought, I realized that the host check to the tls 1.0 site was still passing. So you're right. the tls parameters seem to only apply to the server connection of relayd, not to the client connection.

EDIT2: ...Sorry. You got a reply on bugs@, I confirmed what Benno said. But it seems the options don't apply to the host check but do apply to the client connection.

Last edited by TronDD; 11th January 2016 at 05:27 PM.
Reply With Quote
  #5   (View Single Post)  
Old 11th January 2016
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 448
Default

Thanks for answers.
I have tried to reproduce connection today with simpler tools and instead of Chromium I have used echo and nc. Frankly I must admit that relayd fails to connect, so it is good.
My rules just don't intercept connections on lo0 interface and don't tried to intercept on ports other than 443. First was cause of false positive using local openssl-base server, second using ssllabs web page.
It turns out that it was my fault.
Sorry.
Reply With Quote
Reply

Tags
client, https, relayd, tls

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strong cipher config for relayd e1-531g OpenBSD Security 1 5th September 2015 03:05 AM
relayd gpatrick OpenBSD General 0 8th May 2012 10:10 PM
OBSD client hangs mounting NFS; Linux client doesn't amorphousone OpenBSD General 7 26th August 2010 05:21 AM
relayd gpatrick OpenBSD General 1 16th January 2010 12:19 AM
relayd won't work with multiple relays d0z3r OpenBSD General 0 26th June 2008 09:58 AM


All times are GMT. The time now is 11:40 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick