Known Issues and Attacks Against SSL/TLS in OpenSSL/NSS/gnutls on Red Hat Enterprise Linux 5

Updated -

The versions of OpenSSL, NSS and gnutls shipped with Red Hat Enterprise Linux 5 supports TLS 1.0 but not TLS 1.1 or TLS 1.2. This page summarizes known SSL/TLS issues and how they affect SSL/TLS shipped with Red Hat Enterprise Linux 5.

Issues

  • Red Hat Enterprise Linux 5.X only supports up to TLS 1.0

  • Below is the current status of this problem:

    Red Hat does not plan to take any action towards adding support for TLS 1.1 and above in RHEL5. Supporting TLS versions greater than 1.0 is not technically feasible without breaking application APIs. RHEL5 is now in Extended Life Phase as production 3 phase ended March 31, 2017.

For specific details of individual cryptographic libraries under each version of RHEL please refer to the relevant article on Securing Application 'X' with SSL/TLS in RHEL 'Y' ?

TLS Protocol Status as of early 2018

  • Everything below TLSv1.2 is considered insecure.
  • Only TLSv1.2 is acceptable for PCI DSS 3.1
  • TLS 1.3: This is in development at the time of writing this article. It is not supported by any products yet as the standard is not finalized.

Attacks

Vulnerability Description Affected Version Solution

Renegotiation attack (CVE-2009-3555)

Protocol issue that can lead to plain text injection attacks against SSL and TLS.

SSL 3.0, and TLS 1.0 and and above (without the renegotiation indication extension)

To fix this vulnerability, a renegotiation indication extension was created for TLS and is defined in RFC 5746. The support for this RFC was added to the openssl and openssl097a packages in Red Hat Enterprise Linux 5 via RHSA-2010:0162 and RHSA-2010:0164.

Version rollback attacks against False Start and Snap Start

Protocol issue that is only applicable when using the False Start and Snap Start protocol extensions. This could allow TLS protocol version rollback attacks and modifications to the cipher suite list.

SSL 3.0, TLS 1.0, and TLS 1.1 (with the False Start or Snap Start extention)

This attack did not affect the OpenSSL packages shipped with Red Hat Enterprise Linux 5, as they do not support either of the aforementioned extensions.

BEAST (CVE-2011-3389)

Protocol issue leading to a chosen plain-text attack against block ciphers used in CBC-mode. This attack was only practically demonstrated against web browsers.

SSL 3.0 and TLS 1.0

The issue was fixed in the TLS 1.1 protocol specification. For TLS 1.0 and SSL 3.0, a different fix was created. A record splitting technique prevents attackers from being able to use this attack. This record splitting fix was originally implemented for OpenSSL in 2002. However, because of the interoperability issues, this protection is disabled by many applications using the library. This technique also only protects one direction of the SSL/TLS communication. In response to the publication of the BEAST attack, the record splitting fix was implemented in major web browsers protecting communication from a browser to a web server, which was targeted by the attack.

Note that use of the RC4 stream cipher was previously recommended as a mitigation for this issue. However, additional weaknesses were discovered in RC4 later (see below), so its use is no longer recommended. For an overview of all BEAST fixes and mitigations, see BZ#737506

CRIME (CVE-2012-4929):

Protocol issue leading to an attack that takes advantage of an information leak resulting from the use of compression in the SSL/TLS.

All SSL/TLS versions are affected.

Compression was disabled by default in OpenSSL in Red Hat Enterprise Linux 5 via RHSA-2013-0587.

BREACH (CVE-2013-3587):

This attack is similar to the CRIME attack described above. However, this is an attack against the HTTP protocol compression, not SSL/TLS directly.

All SSL/TLS versions are affected.

This issue can be mitigated by disabling HTTP compression, or using one of the approaches listed in BZ#995168

Lucky-13 (CVE-2013-0169)

Implementation issue that led to an attack against CBC cipher suites.

All SSL/TLS versions are affected.

Fixed in Red Hat Enterprise Linux 5 via RHSA-2013:0587

Attack against the RC4 stream cipher (CVE-2013-2566)

Protocol/cipher issue caused by statistical flaws in the keystream generated by the RC4 algorithm, which could result in the decryption of the ciphertext.

All SSL/TLS versions are affected.

This is a flaw in the RC4 algorithm itself. The solution is to disable RC4 where possible.

Heartbleed (CVE-2014-0160)

Implementation issue that led to information disclosure in the OpenSSL implementation of the Heartbeat TLS extension. This could potentially allow attackers to recover private keys and confidential data from a server using a vulnerable version of OpenSSL.

TLS 1.0 and above

This vulnerability did not affect Red Hat Enterprise Linux 5 since this version does not support the vulnerable Heartbeat extension.

POODLE (CVE-2014-3566)

Protocol issue leading to an attack against CBC cipher suites, specific to SSL 3.0.

SSL 3.0

This issue is addressed in TLS 1.0, hence the solution to this issue is to only use TLS 1.0 or later where possible.

Note that the POODLE attack exploits two problems: the SSL 3.0 issue mentioned above, and an insecure SSL/TLS version fallback mechanism used by popular web browsers that allows an attacker to force the browser and the web server to use an older protocol version even though both support newer protocol versions. This is something a standard SSL/TLS version negotiation prevents. An SSL/TLS protocol extension was defined to mitigate attacks against this insecure fallback mechanism.

TLS POODLE (CVE-2014-8730)

Implementation issue specific to certain TLS implementations, which reused SSL 3.0 decryption code to also decrypt TLS 1.x communication without properly implementing checks defined in the TLS specification.

TLS 1.0 and above

OpenSSL packages in Red Hat Enterprise Linux 5 were not affected.

Comments