Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 94
  • Last Modified:

Delphi Berlin TIdHTTPServer (Indy 10) [https/ssl/tls]: obsolete key exchange (RSA) and vulnerability Client-initiated renegotiation

I have a IdHTTPServer and i want implement the support for handle both http and https request. There are my consig

FSSLHandler := TIdServerIOHandlerSSLOpenSSL.Create(nil);
FSSLHandler.SSLOptions.CertFile     := 'certificate.pem';
FSSLHandler.SSLOptions.KeyFile      := 'key.pem';
FSSLHandler.SSLOptions.RootCertFile := 'chain.pem';

FIdHTTPServer.Bindings.Add.Port := 443;
FIdHTTPServer.IOHandler := FSSLHandler;

FIdHTTPServer.Activate := true;

Open in new window


in the server directory i have ssleay32.dll and ssleay32.dll v1.0.2l (Win32) downloaded from http://indy.fulgan.com/SSL/

when i make a request from Chrome, in the security tab of the developer tool i see:

YLrb4.png
Also, analyzing the server with sslyze i have some others security issue (see VULNERABLE label):

> sslyze --regular local.XXXXXXXXXXXXXX.com:4343

SCAN RESULTS FOR LOCAL.XXXXXXXXXXXXXX.COM:4343 - 127.0.0.1
 --------------------------------------------------------

 * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

 * TLSV1_1 Cipher Suites:
     Preferred:
        None - Server followed client cipher suite preference.                                                            
     Accepted:
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits                                                                  
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits                                                                  
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits                                                                  
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits                                                                  
        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits                                                                  

 * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

 * TLSV1 Cipher Suites:
     Preferred:
        None - Server followed client cipher suite preference.                                                            
     Accepted:
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits                                                                  
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits                                                                  
        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits                                                                  
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits                                                                  
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits                                                                  

 * Deflate Compression:
                                          OK - Compression disabled

 * Downgrade Attacks:
       TLS_FALLBACK_SCSV:                 OK - Supported

 * OpenSSL Heartbleed:
                                          OK - Not vulnerable to Heartbleed

 * OpenSSL CCS Injection:
                                          OK - Not vulnerable to OpenSSL CCS injection

 * Session Renegotiation:
       Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
       Secure Renegotiation:              OK - Supported

 * Resumption Support:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  OK - Supported

 * TLSV1_2 Cipher Suites:
     Preferred:
        None - Server followed client cipher suite preference.                                                            
     Accepted:
        TLS_RSA_WITH_AES_256_GCM_SHA384                   -              256 bits                                                                  
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits                                                                  
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits                                                                  
        TLS_RSA_WITH_AES_256_CBC_SHA256                   -              256 bits                                                                  
        TLS_RSA_WITH_AES_128_GCM_SHA256                   -              128 bits                                                                  
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits                                                                  
        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits                                                                  
        TLS_RSA_WITH_AES_128_CBC_SHA256                   -              128 bits                                                                  
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits                                                                  

 * Certificate Information:
     Content
       SHA1 Fingerprint:                  47d0385fb45a82a91f9d8639ea222191adb12719
       Common Name:                       *.XXXXXXXXXXXXXX.com
       Issuer:                            XXXXXXXX RSA Domain Validation Secure Server CA
       Serial Number:                     10462331755053598199612105214047533723
       Not Before:                        2017-09-20 00:00:00
       Not After:                         2020-09-19 23:59:59
       Signature Algorithm:               sha256
       Public Key Algorithm:              RSA
       Key Size:                          2048
       Exponent:                          65537 (0x10001)
       DNS Subject Alternative Names:     ['*.XXXXXXXXXXXXXX.com', 'XXXXXXXXXXXXXX.com']

     Trust
       Hostname Validation:               OK - Certificate matches local.XXXXXXXXXXXXXX.com
       AOSP CA Store (7.0.0 r1):          OK - Certificate is trusted
       Apple CA Store (OS X 10.11.6):     OK - Certificate is trusted
       Java 7 CA Store (Update 79):       OK - Certificate is trusted
       Microsoft CA Store (09/2016):      OK - Certificate is trusted
       Mozilla CA Store (09/2016):        OK - Certificate is trusted
       Received Chain:                    *.XXXXXXXXXXXXXX.com --> XXXXXXXX RSA Domain Validation Secure Server CA --> XXXXXXXX RSA Certification Authority
       Verified Chain:                    *.XXXXXXXXXXXXXX.com --> XXXXXXXX RSA Domain Validation Secure Server CA --> XXXXXXXX RSA Certification Authority
       Received Chain Contains Anchor:    OK - Anchor certificate not sent
       Received Chain Order:              OK - Order is valid
       Verified Chain contains SHA1:      OK - No SHA1-signed certificate in the verified certificate chain

     OCSP Stapling
                                          NOT SUPPORTED - Server did not send back an OCSP response.


 SCAN COMPLETED IN 1.34 S
 ------------------------

i have tried to fix the issues by set the CipherList and Method as following:

  FSSLHandler.SSLOptions.Method      := sslvTLSv1_2;
  FSSLHandler.SSLOptions.Mode        := sslmUnassigned;
  FSSLHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
  FSSLHandler.SSLOptions.CipherList  := 'TLSv1:TLSv1.2:SSLv3:!RC4:!NULL-MD5:!NULL-SHA:!NULL-SHA256:!DES-CBC-SHA:!DES-CBC3-SHA:!IDEA-CBC-SHA';

Open in new window


but the errors persists.

how can i fix the obsolete key exchange (RSA) from Chrome and the vulnerability Client-initiated Renegotiation from sslyze?

Side note: i want try to implement ssl on the indy server by following the most common best practice like https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

Following https://cipherli.st/ i have also tried to use:

  FSSLHandler.SSLOptions.Method      := sslvTLSv1_2;
  FSSLHandler.SSLOptions.Mode        := sslmUnassigned;
  FSSLHandler.SSLOptions.SSLVersions := [sslvTLSv1_2];
  FSSLHandler.SSLOptions.CipherList  := 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Open in new window


but it raise and exception:

   Error accepting connection with SSL. error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

in IdSSLOpenSSL.pas on line 3563:

// RLebeau: if this socket's IOHandler was cloned, no need to reuse the
// original IOHandler's active session ID, since this is a server socket
// that generates its own sessions...
error := SSL_accept(fSSL);
if error <= 0 then begin
  EIdOSSLAcceptError.RaiseException(fSSL, error, RSSSLAcceptError); // EXCEPTION HERE
end;
if Supports(fParent, IIdSSLOpenSSLCallbackHelper, IInterface(LHelper)) then 
begin
  LParentIO := LHelper.GetIOHandlerSelf;
  if LParentIO <> nil then begin
    StatusStr := 'Cipher: name = ' + Cipher.Name + '; ' +    {Do not Localize}
               'description = ' + Cipher.Description + '; ' +    {Do not Localize}
               'bits = ' + IntToStr(Cipher.Bits) + '; ' +    {Do not Localize}
               'version = ' + Cipher.Version + '; ';    {Do not Localize}
    LParentIO.DoStatusInfo(StatusStr);
  end;
  LHelper := nil;
end;

Open in new window


IndyServer seem not accept the CipherList in the same Apache way. The official documentation is vague:

   TIdSSLOptions.CipherList Property

    Pascal

    property CipherList: String;

    Description

    CipherList is a Published String property. Write access for the property is implemented using fCipherList.
0
Simone Nigro
Asked:
Simone Nigro
1 Solution
 
btanExec ConsultantCommented:
For "obsolete key exchange (RSA)", you should use DHE_RSA or ECDHE_RSA. Preferably RSA should only be used for authentication and the key exchange should be performed using DHE or ECDHE.
To remove the "obsolete cryptography" warning, you'll need to use "modern cryptography" which is defined as:

Protocol: TLS 1.2 or QUIC
Cipher: AES_128_GCM or CHACHA20_POLY1305
Key exchange: DHE_RSA or ECDHE_RSA or ECDHE_ECDSA
This is because your existing cipher suite does not support forward secrecy and authenticated encryption (AEAD). The use of DHE has a weak length (1024bit) so the recommended is to go for ECDHE but not all servers support it.

Can try  SSLLabs test (https://www.ssllabs.com/ssltest/analyze.html) to confirm if the cipher is supported. But from your testing, the listed cipher list does not seems to support those required mentioned earlier.

A note is OpenSSL does not by default enable DH or ECDH. You must manually enable these otherwise DH and ECDH ciphers will be ignored. See this https://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman_parameters


For Renegotiation, the Openssl must minimally be in 0.9.8m, which I supposed you have already, since secure client renegotiation .

CVE-2009-3555 (OpenSSL advisory) 5th November 2009:  
Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation.
Fixed in OpenSSL 0.9.8m (Affected 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
Will need to know the specific for the server to go for disabling client renegotiation. Not sure of the command per se but better to raise support ticket if that is available.
1

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now