OpenBMC and https Vulnerable issue.

Bruce Mitchell Bruce_Mitchell at phoenix.com
Thu Nov 7 09:38:33 AEDT 2019 


> -----Original Message-----
> From: openbmc [mailto:openbmc-
> bounces+bruce_mitchell=phoenix.com at lists.ozlabs.org] On Behalf Of Bruce
> Mitchell
> Sent: Wednesday, November 6, 2019 14:19
> To: James Feist; OpenBMC Maillist
> Subject: RE: OpenBMC and https Vulnerable issue.
> 
> 
> 
> > -----Original Message-----
> > From: openbmc [mailto:openbmc-
> > bounces+bruce_mitchell=phoenix.com at lists.ozlabs.org] On Behalf Of
> > James Feist
> > Sent: Wednesday, November 6, 2019 13:52
> > To: Bruce Mitchell; OpenBMC Maillist
> > Subject: Re: OpenBMC and https Vulnerable issue.
> >
> > On 11/6/19 11:31 AM, Bruce Mitchell wrote:
> > >  From my investigations on TLS there seems to be 2 issues that could be
> > corrected with OpenBMC's https:
> > >    1  Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok), DoS
> > threat
> >
> > This CVE is disputed https://www.cvedetails.com/cve/CVE-2011-1473/ due
> > to CPU consumption issues that might make it easier to cause a DOS
> > (which is arguably already not that difficult on a BMC). That being said
> > the fix is a 1 liner, so I implemented it and it seems to work, but I
> > need to see if there are any consequences.
> >
> > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/26992
> >
> >
> >
> > >    2  LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE,
> > uses cipher block chaining (CBC) ciphers with TLS
> > >       and xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 521   AES         128
> > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> >
> > Based on this https://wiki.crashtest-security.com/prevent-ssl-lucky13,
> > we are using the recommended ciphers,
> >
> https://github.com/openbmc/bmcweb/blob/1f8c7b5d6a679a38b8226106031
> > 0b876079d0f8b/include/ssl_key_handler.hpp#L330.
> > And based on this comment from the maintainer of test ssl, no tool can
> > determine this externally, and it's just a warning:
> > https://github.com/drwetter/testssl.sh/issues/1011#issuecomment-
> > 372953654.
> > Do you have any suggestions on if there is anything to change for this one?
> >
> > Thanks
> >
> > -James
> >
> 
> Thanks James, I accept your assessment.
> 
> -Bruce
> 

There are Mozilla Recommended configurations as well.
https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

- Bruce

> >
> > >
> > > Present standard of practice seems to be to not allow Secure Client-
> > Initiated Renegotiation and to not allow CBC ciphers.
> > >
> > > Is this your understanding as well?
> > >
> > > Thank you!
> > >

More information about the openbmc mailing list