Issue #9424 has been updated by B Kelly.


 shyouhei / ruby-lang.org wrote:
 > B Kelly wrote:
 >>  
 >>  I think we're talking at cross-purposes.  Your arguments focus on what would
 >>  be ideal: an upstream patch by OpenSSL.  I think nobody disagrees that would be
 >>  ideal, and presumably most among us are familiar with the downsides of maintaining
 >>  downstream patches.
 > 
 > Then how can it be legitimate for you to blame Debian people?
 > I don't wanna be raped like them.
 
 Interesting.  I feel I must be communicating unclearly.
 
 I'm not someone who blamed Debian.  (It's my preferred Linux distro.)  Indeed, the
 Debian maintainer who removed lines of code affecting the OpenSSL PRNG first
 posted on the OpenSSL mailing list explaining his situation and asked if it was
 OK to remove the code.
 
 As I wrote in an earlier post, I think the details of what transpired in the
 Debian/OpenSSL blunder are interesting.
 
 Particularly, I think the details show it's difficult to point fingers at a specific
 person or part of the process in the Debian/OpenSSL situation.  Mistakes were made;
 and yet the actions taken at each discrete step in the process seemed fairly
 reasonable.
 
 And in that /particular/ sense I recognize the parallels being drawn to the
 debate here about hardening the OpenSSL defaults for Ruby.
 
 My position has simply been that I regard the following scenarios as categorically
 distinct:
 
 1. "I don't know what these lines of code in OpenSSL do, but Valgrind complains.
 Is it OK if I remove them?"
 
 2. "SSLv2, TLS compression, and certain specific ciphers are regarded by the
 security community as weak or exploitable.  Is it reasonable and beneficial to
 Ruby users if we exclude them from our defaults?"
 
 To me, there appears to be a vast distance between #1 and #2.  My recent posts on
 this thread have been in part an attempt to understand the opposing view by
 eliciting responses from those who disagree.
 
 
 Regards,
 
 Bill

----------------------------------------
Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults 
https://bugs.ruby-lang.org/issues/9424#change-44560

* Author: Jeff Hodges
* Status: Assigned
* Priority: Normal
* Assignee: Martin Bosslet
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-darwin12]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
Ruby 1.9, 2.0, and 2.1 use insecure defaults for SSL/TLS client connections. They have inherited or overridden configs that make the OpenSSL-controlled connections insecure. Note: both OpenSSL's and Ruby's defaults in all tested versions are currently insecure. Confirmation of the issues with Ruby's TLS client can be done with the code in [1].

Ruby is using TLS compression by default. This opens Ruby clients to the CRIME attack[2].

Ruby also uses a variety of insecure cipher suites. These cipher suites either use key sizes much smaller than the currently recommended size, making brute forcing a decryption easy, or do not check the veracity of the server's certificate making them susceptible to man-in-the-middle attacks[3][4].

Ruby also appears to allow SSLv2 connections by default. It does so by first trying to connect with a SSLv2 client hello with a higher SSL/TLS version inside of it which allows SSLv2 servers to work. SSLv2 was broken in the 1990s and is considered unsafe.

These issues expose Ruby users to attacks that have been known for many years, and are trivial to discover. These defaults are often build specific, and are not the same across platforms, but are consistently poor (the code in [1] can evaluate the build). A patch from a core developer on the security@ list is attached. However, the patch does not correct the suspect SSLv2 configuration. It is believed that Ruby 1.8 is also a concern, but, since it was obsoleted, it's not been investigated.

A report similar to this was sent to security / ruby-lang.org four days ago. The Ruby core developers have been unable to patch these problems in a timely manner for it for what I and others believe are concerning reasons. This ticket is being made to allow engineers outside of the small group that are on security@ to protect themselves from these attacks.

[1] https://gist.github.com/cscotta/8302049
[2] https://www.howsmyssl.com/s/about.html#tls-compression
[3] https://www.howsmyssl.com/s/about.html#insecure-cipher-suites
[4] TLS_DHE_DSS_WITH_DES_CBC_SHA - small keys
TLS_DHE_RSA_WITH_DES_CBC_SHA - small keys
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - MITM
TLS_ECDH_anon_WITH_AES_128_CBC_SHA - MITM
TLS_ECDH_anon_WITH_AES_256_CBC_SHA - MITM
TLS_ECDH_anon_WITH_RC4_128_SHA - MITM
TLS_RSA_WITH_DES_CBC_SHA - small keys
TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA - MITM
TLS_SRP_SHA_WITH_AES_128_CBC_SHA - MITM
TLS_SRP_SHA_WITH_AES_256_CBC_SHA - MITM

---Files--------------------------------
ruby_ssl.patch (1.08 KB)
change_ssl_defaults.diff (1.24 KB)


-- 
http://bugs.ruby-lang.org/