[Replicant] [PATCHES] SSL related issues

Moritz Bandemer replicant at posteo.mx
Fri Nov 13 00:33:09 UTC 2015


I'm on it.

I merged- and compiled the patchset successfully and got the expected 
(good) results on the following SSL-testing sites:
https://www.poodletest.com
https://zmap.io/sslv3
https://www.ssllabs.com/ssltest/viewMyClient.html
https://www.howsmyssl.com/
http://m.heise.de/uxss-check

Very big THANKS to Wolfgang Wiedmeyer for looking into this!

Now I try to review the code as good as I can. I found some links, which 
may help me to do that:
Use TLS 1.2 and AES as the default cipher.: 
http://review.cyanogenmod.org/#/c/51771/1
Revert the TLS 1.1/1.2 disable commits:
https://android.googlesource.com/platform/external/chromium/+/fb292835997c64a14669de65d74ba5357aa4d7d7
https://android.googlesource.com/platform/libcore/+/3d74b4bec8543e6e3f89eafe3afe0925f3a69f01
Some more links to TLS 1.2:
https://android.googlesource.com/platform/libcore/+/9de94e4
https://android.googlesource.com/platform/libcore/+/5336055
https://android.googlesource.com/platform/external/conscrypt/+/336e8eb


The most current/useful links I've found:
Addition of TLS v1.1 and v1.2: 
https://android.googlesource.com/platform/libcore/+/3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf%5E!
And the removal again: 
https://android.googlesource.com/platform/libcore/+/0731920fdf845358cc13ce78292f9e80e143f915%5E!/

>> - weak RC4 ciphers are enabled

Additionally I wanted to modify the cipher (priority) list and drop weak 
ciphers. For that I've found some helpful links, too:
https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
https://github.com/owncloud/android/issues/679
http://op-co.de/blog/posts/android_ssl_downgrade/

I already made an additionally "0005-remove-more-weak-ciphers.patch" for 
the existing patchset, but after installing the freshly compiled image, 
I killed my mobile data and complete phone functionality irrecoverable, 
(factory reset wasn't enough, I had to flash an alternative ROM and 
switch back to Replicant again to got this functionalities back, so I 
don't want to share this first try). The problem was for sure, that I 
dropped too much old ciphers, which (some of them) are fundamental 
necessary for some phone protocols...

>> - no OCSP stapling

Probably this could help a bit?
https://github.com/CyanogenMod/android_external_chromium_org_third_party_boringssl_src/commit/6c7aed048ca0a335e02dfee10976c5dc8620783e
But I fear this could be a lot of porting work, because the link is for 
boringssl and chromium...

IMHO, finally the insecure 'mixed content' stuff should also be a point 
on the reported problem list, exactly:
- CSS
- Scripts
- XMLHttpRequest
- WebSockets
- Frames

The most current/useful links I've found for this:
https://w3c.github.io/webappsec/specs/mixedcontent/
If offline, alternative link: 
https://web.archive.org/web/20151006004652/https://w3c.github.io/webappsec-mixed-content/
https://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/browser.cc?r1=85954&r2=85953&pathrev=85954

And last but not least, I've collected some links from the Android 5.0 
changelog for the points above:
https://developer.android.com/about/versions/android-5.0-changes.html

# Harden (EC)DSA signatures against weak nonces
https://android.googlesource.com/platform/external/conscrypt/+/60f8380

# Disable 3DES cipher suites in SSLSocket
https://android.googlesource.com/platform/libcore/+/9a61ef3

# Disable MD5 cipher suites in SSLSocket and SSLEngine
https://android.googlesource.com/platform/external/conscrypt/+/42bd279

# Assert static key ECDH disallowed in default cipher suites
https://android.googlesource.com/platform/libcore/+/69f9b8d

# Enable support for TLSv1.2 cipher suites in SSLSocket
# This adds support for AES-GCM and AES-CBC with MACs based on SHA256 
and SHA384
https://android.googlesource.com/platform/libcore/+/9e73d3f
# Enable TLSv1.1 and TLSv1.2 by default for SSLSocket
https://android.googlesource.com/platform/external/conscrypt/+/1f63d2c

# Enable AES-GCM cipher suites by default in SSLSocket
https://android.googlesource.com/platform/libcore/+/0f0e96a

# Actually prefer Forward Secrecy cipher suites
https://android.googlesource.com/platform/external/conscrypt/+/5aa3d43
https://android.googlesource.com/platform/libcore/+/1169c54
# Prefer Forward Secrecy TLS/SSL cipher suites by default
https://android.googlesource.com/platform/external/conscrypt/+/df17f02
https://android.googlesource.com/platform/libcore/+/4892adf

# Remove unsupported Cipher modes
https://android.googlesource.com/platform/external/conscrypt/+/0a47f2b

# Remove HarmonyJSSE SSLContext, SSLSocket and SSLServerSocket
https://android.googlesource.com/platform/external/conscrypt/+/e1da091

Thanks for reading until here :)


On 10.11.2015 00:57, Kurtis Hanna wrote:
> Did anyone have time to review these patches?
> 
> On Sun, 27 Sep 2015 23:17:18 +0200
> Wolfgang Wiedmeyer <wreg at wiedmeyer.de> wrote:
> 
>> My Self provided in the following post an overview of the different 
>> ssl/tls
>> issues with different android browsers: 
>> https://redmine.replicant.us/boards/39/topics/8007?r=9081#message-9081
>> You can do the test from ssllabs yourself here: 
>> https://www.ssllabs.com/ssltest/viewMyClient.html
>> For the stock android browser the following problems get reported:
>> - no support for TLS version > 1.0
>> - affected by logjam and freak vulnerability
>> - vulnerable to poodle attack or more general: SSL version 3 is not
>> disabled
>> - weak RC4 ciphers are enabled
>> - no OCSP stapling
>> 
>> Except for OCSP stapling I was able fix all issues so that the test 
>> for them
>> passes. The patches for disabling SSLv3, enabling TLSv1.1 and
>> TLSv1.2 and removal of weak RC4 ciphers was completely written by 
>> myself, so
>> please review these patches carefully! I cannot guarantee that the
>> implementation is complete or without bugs, nor am I a security expert
>> or familiar with the code base. I just sat down and tried to fix these
>> issues.
>> Replicant has openssl version 1.0.1c and it is not easy to find 
>> working
>> patches for recent vulnerabilities for such an old version. I was able
>> to use patches for Ubuntu 12.04 LTS, as it has openssl 1.0.1 (slightly
>> older). These patches only needed very little modifications and solved
>> the logjam and freak vulns. There are a lot more security related
>> patches in the Ubuntu package, so these could also be included in
>> replicant.
>> If there are any trustworthy testing tools for webview 
>> vulnerabilities,
>> I could also try to make fixes for these. I couldn't find any so far.
> 
> _______________________________________________
> Replicant mailing list
> Replicant at lists.osuosl.org
> http://lists.osuosl.org/mailman/listinfo/replicant


More information about the Replicant mailing list