Hi,
I'm running rpmlint against packages built based on the Fedora Copr [1] build I've provided for some time. I'm planning to move this forward for the standard Fedora and EPEL repositories. But rpmlint complains about the usage of SSL_CTX_set_cipher_list(), which I in this case would call a false-positive for OpenVPN.
[1] https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3/ https://gitlab.com/dazo/copr-openvpn3
The code which trips this warning is:
------------------------------------------------------------------------------- if (config->force_aes_cbc_ciphersuites) { if (!SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA")) OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed for force_aes_cbc_ciphersuites"); } else { if (!SSL_CTX_set_cipher_list(ctx, /* default list as a basis */ "DEFAULT" /* Disable export ciphers, low and medium */ ":!EXP:!LOW:!MEDIUM" /* Disable static (EC)DH keys (no forward secrecy) */ ":!kDH:!kECDH" /* Disable DSA private keys */ ":!DSS" /* Disable RC4 cipher */ ":!RC4" /* Disable MD5 */ ":!MD5" /* Disable unsupported TLS modes */ ":!PSK:!SRP:!kRSA" /* Disable SSLv2 cipher suites*/ ":!SSLv2" )) OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed"); #if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L SSL_CTX_set_ecdh_auto(ctx, 1); // this method becomes a no-op in OpenSSL 1.1 #endif } ------------------------------------------------------------------------------- These calls can be found in openvpn/openssl/ssl/sslctx.hpp https://github.com/OpenVPN/openvpn3/blob/b62654274fd938ebb82dbe3a2e78d9b8fd465970/openvpn/openssl/ssl/sslctx.hpp#L1094
The first SSL_CTX_set_cipher_list() is being slate for removal, as the "force_aes_cbc_ciphersuits" feature is not considered needed any more; negotiation works much better nowadays than when this was added about 5 years ago. But the cipher-list here shouldn't be of that much concern.
The second block should really be fine too, it just strictly enforces a fairly strict default set of ciphers.
So my question is if this will be a show-stopper for getting the openvpn3 package into the standard Fedora + EPEL repositories?
-- kind regards,
David Sommerseth OpenVPN Inc
On Tue, 2020-02-18 at 21:16 +0100, David Sommerseth wrote:
Hi,
I'm running rpmlint against packages built based on the Fedora Copr [1] build I've provided for some time. I'm planning to move this forward for the standard Fedora and EPEL repositories. But rpmlint complains about the usage of SSL_CTX_set_cipher_list(), which I in this case would call a false- positive for OpenVPN.
[1] https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3/ https://gitlab.com/dazo/copr-openvpn3
The code which trips this warning is:
if (config->force_aes_cbc_ciphersuites) { if (!SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-
SHA:DHE-RSA-AES128-SHA")) OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed for force_aes_cbc_ciphersuites"); } else { if (!SSL_CTX_set_cipher_list(ctx, /* default list as a basis */ "DEFAULT" /* Disable export ciphers, low and medium */ ":!EXP:!LOW:!MEDIUM" /* Disable static (EC)DH keys (no forward secrecy) */ ":!kDH:!kECDH" /* Disable DSA private keys */ ":!DSS" /* Disable RC4 cipher */ ":!RC4" /* Disable MD5 */ ":!MD5" /* Disable unsupported TLS modes */ ":!PSK:!SRP:!kRSA" /* Disable SSLv2 cipher suites*/ ":!SSLv2" )) OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed"); #if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L SSL_CTX_set_ecdh_auto(ctx, 1); // this method becomes a no-op in OpenSSL 1.1 #endif }
These calls can be found in openvpn/openssl/ssl/sslctx.hpp < https://github.com/OpenVPN/openvpn3/blob/b62654274fd938ebb82dbe3a2e78d9b8fd4...
The first SSL_CTX_set_cipher_list() is being slate for removal, as the "force_aes_cbc_ciphersuits" feature is not considered needed any more;
As this would be non-default setting, it would be fine anyway.
negotiation works much better nowadays than when this was added about 5 years ago. But the cipher-list here shouldn't be of that much concern.
The second block should really be fine too, it just strictly enforces a fairly strict default set of ciphers.
No, the second call is not correct. Basically there should be no call to SSL_CTX_set_cipher_list() unless the user explicitly wants to override the defaults. The default in Fedora is already sane and safe and ensures the crypto policy is properly applied.
So my question is if this will be a show-stopper for getting the openvpn3 package into the standard Fedora + EPEL repositories?
Please just patch out the second call.
security@lists.fedoraproject.org