From 3da1637b5ec4f24787d473fa3031bed44958136e Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Fri, 6 Oct 2017 17:24:16 +0200 Subject: ssl: Extend hostname check to fallback to checking IP-address If no SNI is available and the hostname is an IP-address also check for IP-address match. This check is not as good as a DNS hostname check and certificates using IP-address are not recommended. --- lib/ssl/doc/src/ssl.xml | 52 ++++++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 16 deletions(-) (limited to 'lib/ssl/doc/src') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index ca2dcbb761..e80fd59a7f 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -589,22 +589,19 @@ fun(srp, Username :: string(), UserState :: term()) -> {server_name_indication, HostName :: hostname()}

Specify the hostname to be used in TLS Server Name Indication extension. - Is usefull when upgrading a TCP socket to a TLS socket or if the hostname can not be - derived from the Host argument to ssl:connect/3. - Will also cause the client to preform host name verification of the peer certificate - public_key:pkix_verify_hostname(PeerCert, [{dns_id, HostName}]) -

during the x509-path validation. If the check fails the error {bad_cert, hostname_check_failiure} will be - propagated to the path validation fun verify_fun - - - {server_name_indication, disable} - -

When starting a TLS connection without upgrade, the Server Name - Indication extension is sent if possible that is can be derived from the Host argument - to ssl:connect/3. - This option can be used to disable that behavior.

-

Note that this also disables the default host name verification check of the peer certificate.

 + If not specified it will default to the Host argument of connect/[3,4] + unless it is of type inet:ipaddress().

+

+ The HostName will also be used in the hostname verification of the peer certificate using + public_key:pkix_verify_hostname/2. +

+ {server_name_indication, disable} + +

Prevents the Server Name Indication extension from being sent and + disables the hostname verification check + public_key:pkix_verify_hostname/2

+ {fallback, boolean()}

Send special cipher suite TLS_FALLBACK_SCSV to avoid undesired TLS version downgrade. @@ -881,6 +878,12 @@ fun(srp, Username :: string(), UserState :: term()) ->

Upgrades a gen_tcp, or equivalent, connected socket to an SSL socket, that is, performs the client-side ssl handshake.

+ +

If the option verify is set to verify_peer + the option server_name_indication shall also be specified, + if it is not no Server Name Indication extension will be sent, + and public_key:pkix_verify_hostname/2 + will be called with the IP-address of the connection as ReferenceID, which is proably not what you want.

 @@ -897,7 +900,24 @@ fun(srp, Username :: string(), UserState :: term()) -> SslSocket = sslsocket() Reason = term() -

Opens an SSL connection to Host, Port.

 +

Opens an SSL connection to Host, Port.

+ +

When the option verify is set to verify_peer the check + public_key:pkix_verify_hostname/2 + will be performed in addition to the usual x509-path validation checks. If the check fails the error {bad_cert, hostname_check_failed} will + be propagated to the path validation fun verify_fun, where it is possible to do customized + checks by using the full possibilitis of the public_key:pkix_verify_hostname/2 API. + + When the option server_name_indication is provided, its value (the DNS name) will be used as ReferenceID + to public_key:pkix_verify_hostname/2. + When no server_name_indication option is given, the Host argument will be used as + Server Name Indication extension. The Host argument will also be used for the + public_key:pkix_verify_hostname/2 check and if the Host + argument is an inet:ip_address() the ReferenceID used for the check will be {ip, Host} otherwise + dns_id will be assumed with a fallback to ip if that fails.

+

According to good practices certificates should not use IP-addresses as "server names". It would + be very surprising if this happen outside a closed network.

+ -- cgit v1.2.3 From 31a1cd146bf6d0caf1d3fe8005b7e6307710205d Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Wed, 22 Nov 2017 12:23:57 +0100 Subject: Update release notes --- lib/ssl/doc/src/notes.xml | 78 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) (limited to 'lib/ssl/doc/src') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 4c6a204e63..a8450c2630 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -28,6 +28,84 @@

This document describes the changes made to the SSL application.

+
SSL 8.2.2 + +
Fixed Bugs and Malfunctions + + +

+ TLS sessions must be registered with SNI if provided, so + that sessions where client hostname verification would + fail can not connect reusing a session created when the + server name verification succeeded.

+

+ Own Id: OTP-14632

+ + +

An erlang TLS server configured with cipher suites + using rsa key exchange, may be vulnerable to an Adaptive + Chosen Ciphertext attack (AKA Bleichenbacher attack) + against RSA, which when exploited, may result in + plaintext recovery of encrypted messages and/or a + Man-in-the-middle (MiTM) attack, despite the attacker not + having gained access to the server’s private key + itself. CVE-2017-1000385 +

Exploiting this vulnerability to perform + plaintext recovery of encrypted messages will, in most + practical cases, allow an attacker to read the plaintext + only after the session has completed. Only TLS sessions + established using RSA key exchange are vulnerable to this + attack.

Exploiting this vulnerability to conduct + a MiTM attack requires the attacker to complete the + initial attack, which may require thousands of server + requests, during the handshake phase of the targeted + session within the window of the configured handshake + timeout. This attack may be conducted against any TLS + session using RSA signatures, but only if cipher suites + using RSA key exchange are also enabled on the server. + The limited window of opportunity, limitations in + bandwidth, and latency make this attack significantly + more difficult to execute.

RSA key exchange is + enabled by default although least prioritized if server + order is honored. For such a cipher suite to be chosen it + must also be supported by the client and probably the + only shared cipher suite.

Captured TLS sessions + encrypted with ephemeral cipher suites (DHE or ECDHE) are + not at risk for subsequent decryption due to this + vulnerability.

As a workaround if default cipher + suite configuration was used you can configure the server + to not use vulnerable suites with the ciphers option like + this:

{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,Suite) =/= rsa]}

+ that is your code will look somethingh like this:

+ ssl:listen(Port, [{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]). +

Thanks to Hanno Böck, Juraj Somorovsky and + Craig Young for reporting this vulnerability.

+

+ Own Id: OTP-14748

+ + +
+ + +
Improvements and New Features + + +

+ If no SNI is available and the hostname is an IP-address + also check for IP-address match. This check is not as + good as a DNS hostname check and certificates using + IP-address are not recommended.

+

+ Own Id: OTP-14655

+ + +
+ +
+
SSL 8.2.1
Fixed Bugs and Malfunctions -- cgit v1.2.3