tls forward secrecy

tls Forward Secrecy

fr15-10-20, forward secrecy FS protects past sessions against future compromises of secret keys or passwords. In Transport Layer Security it depends on Diffie-Hellman key exchange or elliptic curve Diffie-Hellman-based FS.

Code snippet to filter ciphers with tcl_patchLevel 8.6.4 and tls 1.6.7.1

package require tls
# avoid RC4 vulnerability attack
set psf [lsearch -all -inline -not [tls::ciphers tls1] *RC4*]
# only DHE
set psf [lsearch -all -inline $psf *DHE*]
tls::init -request 0 -require 0 -ssl2 0 -ssl3 0 \
-tls1   0 \
-tls1.1 1 \
-tls1.2 1 \
-ciphers $psf \
-certfile certs/server.pem \
-keyfile  certs/skey.pem

For evaluation the code above replaces tls::init in tclhttpd(v 3.5.3)'s httpd.tcl. httpd.tcl is located in the bin directory.

In tclhttpd.rc we have

 Config https_port 443
  • the lines starting with "Config SSL_" will be ignored
  • tclhttpd.rc would be a better place to set the psf-ciphers, however a package require tls inside will fail

The key files are located in bin/certs Create a self signed certificate:

openssl genrsa -des3 -out server.key 2048
# with passphrase ... used
#make insecure key
openssl rsa -in server.key -out server.key.insec
mv server.key server.key.sec
mv server.key.insec server.key
#make csr
openssl req -new -key server.key -out server.csr
#self sign
openssl x509 -req -days 1001 -in server.csr -signkey server.key -out server.crt
# set your destination path e.g.
set DEST /tclhttpd/bin
mkdir $DEST/certs
cp server.crt $DEST/certs/server.pem
cp server.key $DEST/certs/skey.pem

Check if we have SF

OpenSSL keeps the connection open if SF is supported. Use one of the filtered ciphers:

openssl s_client -connect 127.0.0.1:443 -cipher DHE-RSA-AES128-GCM-SHA256

Possible Vulnerabilities

A check with testssl.sh -U 127.0.0.1:443 gives

    testssl.sh       2.7dev from https://testssl.sh/dev/
    ...
 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK) (timed out)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok), DoS threat
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. "testssl.sh -E/-e" spots candidates
 BEAST (CVE-2011-3389)                     no SSL3 or TLS1
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)