App Transport Security about bluesslservice HOT 12 CLOSED

Fixed in 0.12.22. There was bug that was overriding the default cipher suite. This is fix. Actual setting of the cipher suites on macOS is currently not supported pending a rework of the way macOS cipher suites are handled.

from bluesslservice.

One other thing to be aware of, the cipher suites on macOS and Linux are named differently making them somewhat difficult to map. It's possible that you did not enable the proper cipher suites when configuring on Linux. Try setting the SSLService.Configuration.cipherSuite variable to ALL to enable all ciphers when configuring the SSLService. On Linux, the current default is DEFAULT.

from bluesslservice.

Within Kitura, this same thing as above can be accomplished by passing ALL as the value for the cipherSuite: parameter on the SSLConfig initializer you're using.

from bluesslservice.

I had tried a number of different cipher names. None of them seemed to work.

Since i was running Kitura on Ubuntu, i am assuming any string that works with the openssl cipher command should work as input to ciperSuite
eg:
openssl ciphers -v 'TLSv1.2'
I am going to test again with your latest patch.

from bluesslservice.

Your patch only changes the macOS side of things. The problem i am seeing is on the Linux path of the code base.

I ran a fresh set of tests and i have the same problem. Only the following ciphers are supported by BlueSSL for TLSv1.2

|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A

from bluesslservice.

I tried multiple cipher strings like "ALL", "TLSv1.2" and "DEFAULT" all failed with the same results

from bluesslservice.

The actual ciphers that are supported by BlueSSLService is limited to the ones that are supplied by your installation of OpenSSL. BlueSSLService does nothing more than call the relevant OpenSSL API to set the cipher suite depending on the setting past. What you are seeing is probably what the version of OpenSSL on your Linux box supports.

Yes, the patch covered only macOS. It was made as a result of your initial issue. It turned out that on macOS, BlueSSLService was not setting the proper default cipher suite.

from bluesslservice.

After a little more reading. It looks like BlueSSLService needs to implement the Diffie Hellman parameters for those ciphers to become available to the server.

Take a look at the following:
Link 1
Link 2 - Look at the section on Eliptical curve Diffie Hellman

The OpenSSL library on the Ubuntu system supports Perfect Forward Secrecy and the related ciphers. I have tested this using
Server
openssl s_server -accept <port> -cert <certfile> -key <private key>
Client
nscurl --ats-diagnostics https://server:port

from bluesslservice.

I'll take a look. No sure when I'll have time to get to it... In the meantime, I'll re-open this issue so I don't forget.

from bluesslservice.

After some testing, adding the following line to SSLService.main: prepareContext() function does enable the necessary ciphers to work with App Transport Security

SSL_CTX_ctrl(context, SSL_CTRL_SET_ECDH_AUTO, 1, nil)

One caveat is that this function is only available in OpenSSL v1.0.2+ , so this does not work with ubuntu-14.04

You can add this to prevent the function from executing on earlier version of OpenSSL

let ver: String = OPENSSL_VERSION_TEXT
if ver.contains("1.0.2") {
    SSL_CTX_ctrl(context, SSL_CTRL_SET_ECDH_AUTO, 1, nil)
}

from bluesslservice.

Thanks for the research and the code snippet. I added the change to the latest version (0.12.23).

from bluesslservice.

The functionality has been added to version 0.12.26 however it must be enabled using a switch when building. See the README.md for more details.

from bluesslservice.