Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect setting of ciphersuites for TLSv1.3 #4610

Closed
afshinpir opened this issue Jul 22, 2024 · 5 comments
Closed

Incorrect setting of ciphersuites for TLSv1.3 #4610

afshinpir opened this issue Jul 22, 2024 · 5 comments
Assignees
@obiltschnig
Labels
bug fixed
Milestone
Release 1.14.0

Comments

@afshinpir
Copy link

Hi all,

In OpenSSL version of NetSSL, you are using SSL_CTX_set_cipher_list method to set cipher list:

poco/NetSSL_OpenSSL/src/Context.cpp

Line 192 in 1edabc1

SSL_CTX_set_cipher_list(_pSSLContext, params.cipherList.c_str());

But the point is that this method only affects TLSv1.2 and below, and for TLSv1.3 you need to use SSL_CTX_set_ciphersuites() method based on OpenSSL documentation here: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html
@afshinpir afshinpir added the bug label Jul 22, 2024
@micheleselea
Copy link
Contributor

You are right @afshinpir the point is that probably we need a new cipherList_TLS1.3 params because the two configuration are completely different. The default value for 1.3 is
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

@aleks-f aleks-f added this to the Release 1.14.0 milestone Jul 30, 2024
@aleks-f aleks-f added this to 1.14 Jul 30, 2024
@obiltschnig obiltschnig self-assigned this Jul 30, 2024
aleks-f added a commit that referenced this issue Oct 31, 2024
@aleks-f
fix(NetSSL): Incorrect setting of ciphersuites for TLSv1.3 #4610
fb154d6
@aleks-f aleks-f added the fixed label Oct 31, 2024
@aleks-f aleks-f moved this to Done in 1.14 Oct 31, 2024
aleks-f added a commit that referenced this issue Oct 31, 2024
@aleks-f
fix(NetSSL): Incorrect setting of ciphersuites for TLSv1.3 #4610 (#4752)
59afdc2
@matejk matejk closed this as completed Nov 28, 2024
@micheleselea
Copy link
Contributor

I understand from the commit that you replace SSL_CTX_set_cipher_list with SSL_CTX_set_ciphersuites

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
		SSL_CTX_set_ciphersuites(_pSSLContext, params.cipherList.c_str());
#else
		SSL_CTX_set_cipher_list(_pSSLContext, params.cipherList.c_str());
#endif // OPENSSL_VERSION_NUMBER >= 0x30000000L

But if I'm not wrong, from Openssl documentation I think that
SSL_CTX_set_cipher_list is for TLS1.2
and
SSL_CTX_set_ciphersuites this is for TLS1.3

I think we need both function, even because cipher for 1.2 and 1.3 are different, Am I wrong?

@matejk
Copy link
Contributor

matejk commented Nov 28, 2024

@micheleselea, does it work properly?

@micheleselea
Copy link
Contributor

I did not try it yet, but I was looking in documentation for example
debian
or
ibm
but even in the official OpenSSL and I read that SSL_CTX_set_ciphersuites impacts only in TLS1.3 for TLS1.2 you still have to use SSL_CTX_set_cipher_list
This is what I understand, do you think is not correct?

@afshinpir
Copy link
Author

I think this implementation is wrong.
You need 2 different methods, one for setting cipher list and another one for setting cipher suites.
The reason is the fact that one TLS connection may connect with TLSv1.3 if other one supports it and if not, it will falls back to older version like TLSv1.2. So both lists are needed in practice.

obiltschnig added a commit that referenced this issue Dec 1, 2024
@obiltschnig
fix(NetSSL): Incorrect setting of ciphersuites for TLSv1.3 #4610
24fba7b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@obiltschnig obiltschnig

Labels
bug fixed
Projects
1.14
Status: Done
Milestone
Release 1.14.0
Development

No branches or pull requests
5 participants
@obiltschnig @matejk @aleks-f @micheleselea @afshinpir