Issue #9424 has been updated by B Kelly.


 shyouhei / ruby-lang.org wrote:
 >
 > Alright, I see you are not blaming Debian people.  Thank you.
 > 
 > But I see "I don't know what these lines of code in OpenSSL do, but Valgrind
 > complains." is a completely valid reason to fix something.  In fact I have
 > just read the patch denbian introduced and still see no problem on it.  So I
 > can't draw a line between #1 and #2.  They are equally true.  And the history
 > tells the patch was wrong; how can you say #2 is OK?
 
 To me, the difference hinges on the premise that the defaults function by
 selecting from a set of features which are intended to be enabled or disabled
 /by design/.
 
 For example, the first time my servers were scanned with tools like Nessus or
 OpenVAS, I received reports similar to the following:
 
   Your https is vulnerable due to old protocols and weak ciphers.
 
   Remove vulnerable Apache SSL defaults as follows:
 
   # enable SSLv3 and TLSv1, but not SSLv2
   SSLProtocol all -SSLv2
 
   # exclude weak ciphers
   SSLCipherSuite !EXPORT40:!EXPORT56:!LOW:!ADH:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA:DHE-RSA-AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA
 
 This seems to me very different than if the report were to tell me instead:
 "Apply the following ad hoc patch to source code that affects the OpenSSL
 internals."
 
 Rather, the protocol list and cipher suite configuration seems intended to be
 customizable by design.
 
 
 > Recap.  Ruby is not just requested to have a particular patch.  Ruby is
 > requested to act as a sanity proxy over OpenSSL to prevent it from going mad.
 > Without any patch you CAN operate Ruby safely already, right?  But you say
 > that's not sufficient.  You request us to provide Ruby that you CANT fail.
 
 I believe my own position to be less extreme: I have not been arguing for a
 Ruby that can't fail; just a Ruby whose default configuration excludes already-
 known weak ciphers or protocol versions.
 
 However, since I'm not a security expert, my argument has been based on the
 assumption that information provided by tools like Nessus (and various
 security blogs) is correct.
 
 My presumption had been that customizing Ruby's OpenSSL defaults is something
 which could be accomplished in approximately as simple a manner as the Apache
 SSL customization above.
 
 (It sounds like this has mostly been true, apart from some difficulty arising
 from supporting older OpenSSL versions.)
 
 
 > Those patches proposed here SEEMS to provide adequate defaults to
 > OpenSSL and so what?  I think that doesn't finish this story.  Because no one
 > can say those patches are ultimate solutions.  And the request here is for
 > us to provide ultimate solution for users.
 
 I'm not sure which posts have been advocating an ultimate solution?
 
 My understanding is that once specific protocol versions or ciphers have been
 identified by security experts as weak or exploitable, there's no plausible
 future in which this will cease to be true.
 
 So my reasoning is, if specific ciphers or protocol versions are known now
 to be weak, and will continue to be weak until the end of time, then it would
 seem to benefit Ruby users if these were disabled by default.
 
 (Of course, my viewpoint is the same should also be true for Apache users, but
 I've never joined any Apache development mailing lists.)
 
 
 Regards,
 
 Bill

----------------------------------------
Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults 
https://bugs.ruby-lang.org/issues/9424#change-44626

* Author: Jeff Hodges
* Status: Assigned
* Priority: Normal
* Assignee: Martin Bosslet
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-darwin12]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
Ruby 1.9, 2.0, and 2.1 use insecure defaults for SSL/TLS client connections. They have inherited or overridden configs that make the OpenSSL-controlled connections insecure. Note: both OpenSSL's and Ruby's defaults in all tested versions are currently insecure. Confirmation of the issues with Ruby's TLS client can be done with the code in [1].

Ruby is using TLS compression by default. This opens Ruby clients to the CRIME attack[2].

Ruby also uses a variety of insecure cipher suites. These cipher suites either use key sizes much smaller than the currently recommended size, making brute forcing a decryption easy, or do not check the veracity of the server's certificate making them susceptible to man-in-the-middle attacks[3][4].

Ruby also appears to allow SSLv2 connections by default. It does so by first trying to connect with a SSLv2 client hello with a higher SSL/TLS version inside of it which allows SSLv2 servers to work. SSLv2 was broken in the 1990s and is considered unsafe.

These issues expose Ruby users to attacks that have been known for many years, and are trivial to discover. These defaults are often build specific, and are not the same across platforms, but are consistently poor (the code in [1] can evaluate the build). A patch from a core developer on the security@ list is attached. However, the patch does not correct the suspect SSLv2 configuration. It is believed that Ruby 1.8 is also a concern, but, since it was obsoleted, it's not been investigated.

A report similar to this was sent to security / ruby-lang.org four days ago. The Ruby core developers have been unable to patch these problems in a timely manner for it for what I and others believe are concerning reasons. This ticket is being made to allow engineers outside of the small group that are on security@ to protect themselves from these attacks.

[1] https://gist.github.com/cscotta/8302049
[2] https://www.howsmyssl.com/s/about.html#tls-compression
[3] https://www.howsmyssl.com/s/about.html#insecure-cipher-suites
[4] TLS_DHE_DSS_WITH_DES_CBC_SHA - small keys
TLS_DHE_RSA_WITH_DES_CBC_SHA - small keys
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - MITM
TLS_ECDH_anon_WITH_AES_128_CBC_SHA - MITM
TLS_ECDH_anon_WITH_AES_256_CBC_SHA - MITM
TLS_ECDH_anon_WITH_RC4_128_SHA - MITM
TLS_RSA_WITH_DES_CBC_SHA - small keys
TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA - MITM
TLS_SRP_SHA_WITH_AES_128_CBC_SHA - MITM
TLS_SRP_SHA_WITH_AES_256_CBC_SHA - MITM

---Files--------------------------------
ruby_ssl.patch (1.08 KB)
change_ssl_defaults.diff (1.24 KB)


-- 
http://bugs.ruby-lang.org/