[Pkg-openssl-devel] Bug#948800: openssl: "CipherString = DEFAULT at SECLEVEL=2" has no separator.
labunix
labunix at gmail.com
Mon Jan 13 15:14:35 GMT 2020
Package: openssl
Version: 1.1.1d-0+deb10u2
Severity: minor
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate
***
* What led up to the situation?
$ find debian/ -type f -exec grep SECLEVEL {} +
debian/patches/Set-systemwide-default-settings-for-libssl-users.patch:+CipherString
= DEFAULT at SECLEVEL=2
By mistake? CipherString = DEFAULT at SECLEVEL=2
Correctly, CipherString = DEFAULT:@SECLEVEL=2
Or less common but, CipherString = DEFAULT @SECLEVEL=2
CipherString = DEFAULT;@SECLEVEL=2
CipherString = DEFAULT, at SECLEVEL=2
* What exactly did you do (or not do) that was effective (or
ineffective)?
@ Is not a separator.For example, there is a bug like this
$ openssl ciphers -V 'DEFAULT:@@SECLEVEL=3:!DH:!DHE:!SSLv3:!TLSv1' | wc -l
Error in cipher list
140484549702784:error:140E6118:SSL
routines:ssl_cipher_process_rulestr:invalid command:../ssl/ssl_ciph.c:1028:
140484549702784:error:140E6118:SSL
routines:ssl_cipher_process_rulestr:invalid command:../ssl/ssl_ciph.c:1193:
0
$ openssl ciphers -V 'DEFAULT::@SECLEVEL=3:!DH:!DHE:!SSLv3:!TLSv1' | wc -l
27
* What was the outcome of this action?
The format is the same as other documents by adding:.
$ find openssl openssl-1.1.1d/ -type f -exec grep DEFAULT.*SECLEVEL {} +
openssl/test/ssl-tests/28-seclevel.conf.in: server => {
"CipherString" => "DEFAULT:\@SECLEVEL=3" },
openssl/test/ssl-tests/28-seclevel.conf.in: server => {
"CipherString" => "DEFAULT:\@SECLEVEL=3",
openssl/test/ssl-tests/28-seclevel.conf.in: server => {
"CipherString" => "DEFAULT:\@SECLEVEL=3",
openssl/test/ssl-tests/28-seclevel.conf.in: server => {
"CipherString" => "DEFAULT:\@SECLEVEL=3",
openssl/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3
openssl/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3
openssl/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3
openssl/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3
openssl/debian/patches/Set-systemwide-default-settings-for-libssl-users.patch:+CipherString
= DEFAULT at SECLEVEL=2
openssl-1.1.1d/test/ssl-tests/28-seclevel.conf.in: server => {
"CipherString" => "DEFAULT:\@SECLEVEL=3" },
openssl-1.1.1d/test/ssl-tests/28-seclevel.conf.in: server => {
"CipherString" => "DEFAULT:\@SECLEVEL=3",
openssl-1.1.1d/test/ssl-tests/28-seclevel.conf.in: server => {
"CipherString" => "DEFAULT:\@SECLEVEL=3",
openssl-1.1.1d/test/ssl-tests/28-seclevel.conf.in: server => {
"CipherString" => "DEFAULT:\@SECLEVEL=3",
openssl-1.1.1d/test/ssl-tests/28-seclevel.conf:CipherString =
DEFAULT:@SECLEVEL=3
openssl-1.1.1d/test/ssl-tests/28-seclevel.conf:CipherString =
DEFAULT:@SECLEVEL=3
openssl-1.1.1d/test/ssl-tests/28-seclevel.conf:CipherString =
DEFAULT:@SECLEVEL=3
openssl-1.1.1d/test/ssl-tests/28-seclevel.conf:CipherString =
DEFAULT:@SECLEVEL=3
* What outcome did you expect instead?
ITEM_SEP = Separator is : or space or ; or ,
$ grep -A 2 "^#define ITEM_SEP" --color openssl-1.1.1d/ssl/ssl_ciph.c
#define ITEM_SEP(a) \
(((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
@ is one of the rules.
rule = \0 or - or + or ! or @
$ grep "^ ch = \*l;" -B 1 -A 23 openssl-1.1.1d/ssl/ssl_ciph.c
for ( ; ; ) {
ch = *l;
if (ch == '\0')
break; /* done */
if (ch == '-') {
rule = CIPHER_DEL;
l++;
} else if (ch == '+') {
rule = CIPHER_ORD;
l++;
} else if (ch == '!') {
rule = CIPHER_KILL;
l++;
} else if (ch == '@') {
rule = CIPHER_SPECIAL;
l++;
} else {
rule = CIPHER_ADD;
}
if (ITEM_SEP(ch)) {
l++;
continue;
}
$ grep -A 8 CHARSET_EBCDIC openssl-1.1.1d/ssl/ssl_ciph.c
#ifndef CHARSET_EBCDIC
while (((ch >= 'A') && (ch <= 'Z')) ||
((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) ||
(ch == '-') || (ch == '.') || (ch == '='))
#else
while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
|| (ch == '='))
#endif
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8),
LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssl depends on:
ii libc6 2.28-10
ii libssl1.1 1.1.1d-0+deb10u2
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20190110
-- Configuration Files:
/etc/ssl/openssl.cnf changed:
HOME = .
oid_section = new_oids
openssl_conf = default_conf
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests
(mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=2
-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20200114/7bcde909/attachment.html>
More information about the Pkg-openssl-devel
mailing list