Re: Discussion of Ncat's SSL security choices

[David Fifield <david () bamsoftware com>]

On Tue, Jan 06, 2015 at 09:32:00PM -0600, Daniel Miller wrote:
> In addition to bug reports and code submissions, we are using Github Issues to
> hold some todo items. One of those [1] is to "Audit or review Ncat's use of SSL
> /TLS."
>
> This is really less of an audit of the code, and more of a requirements
> solicitation. I need you all to put on your thinking caps and help decide how
> Ncat will handle things like:
>
> * Certificate verification
> * Protocol version (i.e. SSL3, TLS1.2, etc) selection
> * Certificate revocation checking
>
> Or anything else you can think of.
>
> This is an important decision, because the use of Ncat is not strictly opt-in
> any more: Red Hat has adopted Ncat as their default Netcat replacement. Keep
> this in mind when considering how the average sysadmin will use it, and what
> behaviors they may expect or require.

Here's some historical background on Ncat SSL:
http://seclists.org/nmap-dev/2009/q2/183
Nmap's -sV doesn't care about security, so it uses whatever weak ciphers
and SSL versions the server offers. We wanted Ncat to have better
options by default, which is why there is now an nsp_ssl_init and
nsp_ssl_init_max_speed in nsock/src/nsock_ssl.c.

Here's a way to test the Ncat client with SSL Labs:
        echo -n $'GET /ssltest/viewMyClient.html HTTP/1.0\r\nHost: www.ssllabs.com\r\n\r\n' | ./ncat --ssl -v 
www.ssllabs.com 443 | sed -e '0,/^\r$/d' > viewMyClient.html
For me, it rates these parts as WEAK or INSECURE:
        TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)     INSECURE
        TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)     INSECURE
        TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)         WEAK
        TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)       WEAK
        TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)         INSECURE
        TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)          WEAK
        TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)        WEAK
        TLS_RSA_WITH_RC4_128_SHA (0x5)                  WEAK
        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)    INSECURE
I'm surprised at those _anon_ ciphers in there. But I guess they come
out of our cipher specification:
        openssl ciphers 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
includes AECDH-AES256-SHA, AECDH-AES128-SHA, AECDH-RC4-SHA, and
AECDH-DES-CBC3-SHA. I guess !ADH excludes anonymous Diffie–Hellman, but
not anonymous EC Diffie–Hellman.

Here's another way to see the client handshake:
        tshark -V -Y ssl.handshake.ciphersuites -f "port 443"

I'd be in favor of disabling SSLv3.

Revocation checking was intimidating when I first looked at it. Even in
browsers behavior is not standardized.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/