Opened 3 years ago

Closed 2 years ago

Last modified 16 months ago

#16262 closed defect (fixed)

Enabled ciphers in NSS unnecessarily limited

Reported by: asjoegren Owned by: EionRobb
Milestone: 2.10.11 Component: libpurple
Version: 2.10.10 Keywords: ssl nss
Cc:

Description (last modified by datallah)

After configuring my ejabberd server following the description here:

And furthermore disabling RC4 - yielding an all green list of ciphers here:

(compared to e.g. https://xmpp.net/result.php?id=39820#ciphers which has RC4 enabled.)

Pidgin 2.10.9 fails to connect, with the message "SSL Handshake Failed":

(16:47:46) nss: Handshake failed  (-5938)
(16:46:52) connection: Connection error on 0x7fb86f871d70 (reason: 5 description: SSL Handshake Failed)

Other clients can connect, using the stronger ciphers (i.e. emacs-jabber, gajim).

Should Pidgin be able to use one of the non-RC4 ciphers supported by my ejabberd-configuration?

In NSS 3.17.1 the following ciphers are enabled:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
SSL_CK_RC4_128_WITH_MD5
SSL_CK_RC2_128_CBC_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
SSL_CK_DES_64_CBC_WITH_MD5
SSL_CK_RC4_128_EXPORT40_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5

(note that not all of these will be used for TLS)

The following are supported, but not enabled:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_FIPS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_ECDHE_ECDSA_WITH_NULL_SHA
TLS_ECDHE_RSA_WITH_NULL_SHA
TLS_ECDH_RSA_WITH_NULL_SHA
TLS_ECDH_ECDSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_MD5

In particular, we don't have ciphers that support forward security enabled.

Attachments (2)

debug.log (16.4 KB) - added by asjoegren 3 years ago.
debug2.log (34.4 KB) - added by asjoegren 3 years ago.
RC4 allowed → connection works

Download all attachments as: .zip

Change History (21)

comment:1 Changed 3 years ago by asjoegren

  • Summary changed from Connecting to ejabberd that has RC4 disabled: SSH Handshake Failed to Connecting to ejabberd that has RC4 disabled: SSL Handshake Failed

comment:2 Changed 3 years ago by datallah

  • Status changed from new to pending

Does this still happen with Pidgin 2.10.10?

comment:3 Changed 3 years ago by asjoegren

  • Status changed from pending to new

Yes, it still happens with Pidgin 2.10.10:

$ pidgin --version
Pidgin 2.10.10 (libpurple 2.10.10)

comment:4 Changed 3 years ago by datallah

  • Status changed from new to pending

Please follow the instructions to get a debug log and attach it to this ticket.

Changed 3 years ago by asjoegren

comment:5 Changed 3 years ago by asjoegren

  • Status changed from pending to new

Attachment (debug.log) added by ticket reporter.

comment:6 Changed 3 years ago by datallah

I tried connecting to your sever and what's happening is the server is hanging up as soon as we try to negotiate TLS - there's no more visibility on the client side to what is happening.

I'm pretty sure that the issue is that there's no overlap in cipher suites. According to https://xmpp.net/result.php?id=39807#ciphers you only support a few ECC ciphers.

Until NSS 3.16, ECC Ciphers were not enabled by default.

The NSS 3.17.1 build that Pidgin 2.10.10 for Windows ships with (and I guess the build on your OS too) is built with ECC ciphers disabled.

I'm going to revisit that for the windows build, but that won't help you much since you're not using Windows.

comment:7 Changed 3 years ago by asjoegren

I'm pretty sure that is the issue as well, as I outlined in the ticket, the problem started when I disabled RC4 in ejabberd.

Since then (5 months ago) I have further limited the ciphers that my server supports (only those that provide forward secrecy), as you have noticed.

Thank you for the information NSS, although it does confuse me a little: The version of NSS installed on my machine is 3.17.2:

$ dpkg -l libnss3 | grep ^ii
ii  libnss3:amd64  2:3.17.2-1   amd64        Network Security Service libraries

comment:8 Changed 3 years ago by asjoegren

Ok, I did another test - if I use the setup shown here: https://netfuture.ch/tools/tls-interposer/#default-cipher i.e.:

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

then Pidgin can't connect:

(17:27:17) nss: Handshake failed  (-5938)
(17:27:17) connection: Connection error on 0x7f82367ceec0 (reason: 5 description: SSL Handshake Failed)

but if I remove the ":!RC4", i.e. I use:

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

then I _can_ connect (full log attached as debug2.txt) - albeit with RC4 and SHA1:

(17:23:14) nss: SSL version 3.3 using 128-bit RC4 with 160-bit SHA1 MAC
Server Auth: 4096-bit RSA, Key Exchange: 4096-bit RSA, Compression: NULL
Cipher Suite Name: TLS_RSA_WITH_RC4_128_SHA

So it seems to me that Pidgin 2.10.10 with libnss3 3.17.2 on Debian unstable still needs RC4 to connect.

Changed 3 years ago by asjoegren

RC4 allowed → connection works

comment:9 Changed 3 years ago by datallah

Actually, I misspoke, the NSS 3.17.1 build that Pidgin 2.10.10 for Windows ships with was built with support for ECC ciphers.

I'm actually not sure what the deal is - in theory NSS supports those ciphers by default, but they appear to be disabled.

One note - it's really not just that you're disabling RC4 - you're actually only enabling ECDHE-RSA-*, which is not going to be very widely supported (but in theory should work with NSS 3.17.2 assuming they haven't disabled the ECC suites in the debian package).

comment:10 follow-up: Changed 3 years ago by asjoegren

The only difference between the two TLS_INTERPOSER_CIPHER values shown is the "!RC4" part.

comment:11 in reply to: ↑ 10 ; follow-up: Changed 3 years ago by datallah

Replying to asjoegren:

The only difference between the two TLS_INTERPOSER_CIPHER values shown is the "!RC4" part.

Yes, enabling the RC4 ciphers makes it work, but what I'm trying to say is that you've limited down the set such that without the RC4 ciphers you only have ECDHE-RSA-* ciphers.

comment:12 in reply to: ↑ 11 Changed 3 years ago by asjoegren

That is correct - I still think Pidgin ought to be able to connect, when other clients are :-)

comment:13 Changed 3 years ago by datallah

I guess it's a matter that the ciphers need to be enabled within the client.

If I add the following to to libpurple/plugins/ssl/ssl-nss.c:ssl_nss_init_nss, then that cipher appears to be enabled.

SSL_CipherPrefSetDefault(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1);

I misunderstood this comment about NSS_SetDomesticPolicy - that's more about restricting what can be used from what's enabled than enabling by default.

It looks like it's going to be up to us to enable appropriate ciphers in the client (ugh!).

comment:14 Changed 3 years ago by datallah

  • Component changed from unclassified to libpurple
  • Description modified (diff)
  • Keywords nss added
  • Summary changed from Connecting to ejabberd that has RC4 disabled: SSL Handshake Failed to Enabled ciphers in NSS unnecessarily limited
  • Version changed from 2.10.9 to 2.10.10

comment:15 Changed 3 years ago by datallah

This is kind of a duplicate of #8061.

comment:16 follow-up: Changed 2 years ago by datallah

I wrote a plugin (https://pidgin.im/~datallah/nss-prefs.c) that allows customization of the NSS cipher suites.

It still won't work with your server because now you have it configured to only use the following cipher suites, which NSS doesn't support:

ECDHE-RSA-AES256-GCM-SHA384 (0xc030)
ECDHE-RSA-AES256-SHA384 (0xc028)

comment:17 in reply to: ↑ 16 Changed 2 years ago by asjoegren

Replying to datallah:

I wrote a plugin (https://pidgin.im/~datallah/nss-prefs.c) that allows customization of the NSS cipher suites.

Cool!

Shouldn't Pidgin by default enable the ciphers with forward secrecy, and disable RC4, though? It seems to be the case for GnuTLS in the ticket you mention, #8061.

It still won't work with your server because now you have it configured to only use the following cipher suites, which NSS doesn't support:

ECDHE-RSA-AES256-GCM-SHA384 (0xc030)
ECDHE-RSA-AES256-SHA384 (0xc028)

That is odd, GnuTLS and OpenSSL support them fine. I did not mean to cut it down to quite so few ciphers, though, so I'll adjust my configuration and your plugin will come in handy.

Thanks for looking into this!

comment:18 Changed 2 years ago by Daniel Atallah <datallah@…>

  • Milestone set to 2.10.11
  • Resolution set to fixed
  • Status changed from new to closed

(In [f26d96f03176]):
Update NSS Default Cipher suites

  • Use Firefox as a base reference, include some previously used stuff and enable various PFS certificates
  • The following certificates were previously enabled (when using NSS 3.17.1) and are no longer enabled:
    • Various using RC2 and MD5
    • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    • TLS_DHE_DSS_WITH_RC4_128_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_RSA_WITH_RC4_128_SHA (this is probably the most controversial removal)
    • TLS_RSA_WITH_RC4_128_MD5
    • TLS_DHE_RSA_WITH_DES_CBC_SHA
    • TLS_DHE_DSS_WITH_DES_CBC_SHA

Refs #8062, Fixes #16262

comment:19 Changed 16 months ago by dx

Ticket #15862 has been marked as a duplicate of this ticket.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!