There is currently a PR open https://github.com/theforeman/smart-proxy/pull/947 that has the following security flaw:
A user can set :ciphers in proxy settings.yml, specifying an allowlist of ciphers that the proxy can use.
Setting ciphers can be done using SSL_CTX_set_cipher_list() method. This limits ciphers to only those specified.
However, that method only limits ciphers for TLS 1.2. For TLS 1.3, there is another method SSL_CTX_set_ciphersuites() that, in turn, only works for TLS 1.3.
Ruby’s openssl only knows this method in versions 3.2+, or on RHEL builds in RHEL 3.0+. The only version of Debian that we currently support, 12, has Ruby < 3.2.
That means any ciphers that user specifies can only be applied to TLS 1.2 and TLS 1.3 will use all available ciphers, even those not on the allowlist.
I think this is a serious security flaw. If a user lists a set of ciphers we are allowed to use, we can’t just take that list and append all existing TLS 1.3 ciphers to it and use that.
We may merge that PR but before release, we really should decide what to do with it. We’ve discussed three options:
-
fail proxy start with an explanation that we are not able to fulfill this - setting
ciphersin settings on a machine without the method available is just illegal -
disable TLS 1.3 entirely on machines without the method because we are not able to limit its ciphers in any way. Because when a user explicitly or implicitly (no setting tls_min present) allows TLS 1.3, and at the same time specifies ciphers, we need to only allow those ciphers; not those ciphers + any TLS 1.3 cipher (example: if a user doesn’t specify TLS version but only allows cipher_that_is_only_in_tls12, it means that we should only allow cipher_that_is_only_in_tls12 and not also cipher_that_is_only_in_tls13_a and cipher_that_is_only_in_tls13_b, thus we need to disable TLS 1.3 entirely) => note that this means Debian 12 can’t ever have TLS 1.3 if the user specified ciphers with any value
-
the way it is now which doesn’t set any ciphersuites for TLS 1.3, effectively allowing any TLS 1.3 cipher even though user specified just some or not any at all => I think this would be a very bad security choice worth filing a CVE the minute we release it