I am currently implementing OpenSSL's TLS/SSL standards into my mail service, allowing my users to select the TLS/SSL version they want. Here is the list of versions:
["TLSv1","TLSv1_server","TLSv1_client","SSLv3","SSLv3_server","SSLv3_client","SSLv23","SSLv23_server","SSLv23_client","TLS","TLSv1_1_server","TLSv1_1_client","TLSv1_1","TLSv1_2","TLSv1_2_server","TLSv1_2_client"]
I did some Googling on what the difference of the options are, and I understand that some versions are deprecated, or shouldn't be used because of security issues, such as TLSv1. I don't understand the difference between the client vs server ones, but from my own testing, the server options return errors when trying to send a mail with it.
So my question is - of that list, what should I remove?
What you show are not SSL/TLS versions but various types of SSL contexts which also include the usable SSL/TLS versions. This means the *_server "versions" are all SSL contexts which should be used on the server side where you usually also need a certificate. The *_client variants are for the client side of the TLS handshake, i.e. the one which initiates the TLS handshake.
Within a mail client you don't want to use any server specific SSL contexts because with these the mail client would expect the peer to start with the TLS handshake which it does not.
For more details see the man page of SSL_CTX_new which has a detailed description of what all these different contexts mean.
... allowing my users to select the TLS/SSL version they want.
While your specific implementation is wrong the idea of letting users chose the protocol version is wrong too. Instead you should just use a generic context without limitations (apart from disabling insecure versions) so that it automatically picks the best protocol version during the TLS exchange. Selecting specific protocol versions should only be done in case the peers TLS stack is broken, like for stacks which simply refuse a TLS 1.2 handshake instead of replying with TLS 1.0 in case they don't support TLS 1.2.
I'm using ssl3 to connect to server. When the -change_session_version option is specified with the -reconnect, I want the session protocol to change to SSLv2 from SSLv3
This is my command: apps/openssl s_client -connect 10.102.113.3:443 -reconnect -change_session_version -ssl3
Now, I know that I should have either this code:
if(change_session_version)
s->session->ssl_version = SSL2_VERSION;
Or this code:
if(change_session_version)
s->version = SSL2_VERSION;
I don't know where to put this code though.
I have declared change_session_version as an int in ssl.h and have set it to 1 if the -change_session_version option is specified.
Please help me out!
Your question embodies a contradiction in terms. A 'session' in SSL comprises the protocol, the cipher suite, the key material, and the peer certificates. You can't change any of them without creating a new session.
EDIT Just changing a variable in a piece of local memory can't possibly accomplish anything useful. The peer won't know about it, and the other peers sharing the session on other connections won't know about it either. You have to re-handshake and negotiate a new session.
I don't think this is possible. First, SSLv2 is practically not supported anymore and most stacks don't even implement it while the others have disabled it. And then there is no support for session resumption in SSLv2 at all.
An etcd instance can have multiple peers. According to the CoreOS doc I can configure a parameter ETCD_PEER_KEY_FILE=/path/to/peers.key. If I interpret this parameter according to its name, I can put the private keys of a peer (or more peer_s_) in that file. What's the rational behind this? Can someone explain, what this parameter really means (didn't find any documentation).
Got it. Documentation is here
--cert-file=<path>: Certificate used for SSL/TLS connections to etcd.
--peer-cert-file=<path>: Certificate used for SSL/TLS connections between peers. This will be used both for listening on the peer address as well as sending requests to other peers.
This is after my question about http and tls.
It seems that there is no mandate per RFC to invalidate an established TLS session if the underlying TCP connection is closed (and then reopened).
Is it safe to reuse the established TLS session over the new TCP connection?
Are there any known attacks (even at theoritical level) that could exploit this?
Thank you
Indeed there is such a mandate in RFC 2246 -- TLS 1.0 if the TCP connection is closed without sending a close_notify alert: see section 7.2.1 of the RFC 2246. This mandate was widely ignored in implementations that otherwise followed RFC 2246. Acknowledging this, TLS 1.1 and TLS 1.2 have eliminated the requirement.
TLS/SSL security does not rely on any properties of TCP, so things that happen at that level should not matter. In particular it should not matter whether you try to resume a TLS session on the same TCP connection or on a new TCP connection.
According to wikipedia: http://en.wikipedia.org/wiki/Transport_Layer_Security
Seems like TLS is a replacement to SSL, but most websites are still using SSL?
In short, TLSv1.0 is more or less SSLv3.1. You can find more details in this question on ServerFault.
Most websites actually support both SSLv3 and TLSv1.0 at least, as this study indicates (Lee, Malkin, and Nahum's paper: Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices, IMC 2007) (link obtained from the IETF TLS list). More than 98% support TLSv1+.
I think the reason why SSLv3 is still in use was for legacy support (although most browsers support TLSv1 and some TLSv1.1 or even TLSv1.2 nowadays). Until not so long ago, some distributions still had SSLv2 (considered insecure) on by default along with the others.
(You may also find this question interesting, although it's about the usage pattern of TLS rather than SSL vs. TLS (you could in fact have the same pattern with SSL). This does not apply to HTTPS anyway, since HTTPS uses SSL/TLS from the beginning of the connection.)
From http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/
In the early 90’s, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. It’s amazing that SSL has endured for as long as it has, in contrast to a number of other protocols from the same vintage. We’ve definitely learned a lot since then, though, but the thing about protocols and APIs is that there’s very little going back.
There were two major updates to the SSL protocol, SSL 2 (1995) and SSL 3 (1996). These were carefully done to be backwards compatible, to ease adoption. However backwards compatibility is a constraint for a security protocol for which it can mean backwards vulnerable.
Thus it was decided to break backwards compatiblity, and the new protocol named TLS 1.0 (1999). (In hindsight, it might have been clearer to name it TLS 4)
The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate.
TLS has been revised twice, TLS 1.1 (2006) and TLS 1.2 (2008).
As of 2015, all SSL versions are broken and insecure (the POODLE attack) and browsers are removing support. TLS 1.0 is ubiquitous, but only 60% of sites support TLS 1.1 and 1.2, a sorry state of affairs.
If you're interested in this stuff, I recommend Moxie Marlinspike's clever and funny talk at
https://www.youtube.com/watch?v=Z7Wl2FW2TcA
tls1.0 means sslv3.1
tls1.1 means sslv3.2
tls1.2 means sslv3.3
the rfc just changed the name, you could find tls1.0's hex code is 0x0301, which means sslv3.1
TLS maintains backward compatibility with SSL and therefore the communication protocol is nearly identical in any of the mentioned versions herein. The two important differences between SSL v.3, TLS 1.0, and TLS 1.2, is the pseudo-random function (PRF) and the HMAC hashing function (SHA, MD5, handshake), which is used to construct a block of symmetric keys for Application Data encryption (server keys + client keys + IV). Major difference between TLS 1.1 and TLS 1.2 is that 1.2 requires use-of "explicit" IV to protect against CBC attacks, although there is no changes to PRF or protocol needed for this. TLS 1.2 PRF is cipher-suite-specific, which means PRF can be negotiated during handshake. SSL was originally developed by Netscape Communications (historic) and later maintained by Internet Engineering Task Force (IETF, current). TLS is maintained by the Network Working Group. Here are difference between PRF HMAC functions in TLS:
TLS 1.0 and 1.1
PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed);
TLS 1.2
PRF(secret, label, seed) = P_hash(secret, label + seed)
"If it ain't broken, don't touch it". SSL3 works fine in most scenarios (there was a fundamental flaw found in SSL/TLS protocol back in October, but this is a flaw of applications more than of a procol itself), so developers don't hurry to upgrade their SSL modules. TLS brings a number of useful extensions and security algorithms, but they are handy addition and not a must. So TLS on most servers remains an option. If both server and client support it, it will be used.
Update: in '2016 SSL 3, and even TLS up to 1.2 are found to be vulnerable to various attacks and migration to TLS 1.2 is recommended. There exist attacks on implementations of TLS 1.2 as well, though they are server-dependent. TLS 1.3 is currently in development. And now TLS 1.2 is a must.
https://hpbn.co/transport-layer-security-tls/ is a good introduction
The SSL protocol was originally developed at Netscape to enable ecommerce transaction security on the Web, which required encryption to protect customers’ personal data, as well as authentication and integrity guarantees to ensure a safe transaction. To achieve this, the SSL protocol was implemented at the application layer, directly on top of TCP (Figure 4-1), enabling protocols above it (HTTP, email, instant messaging, and many others) to operate unchanged while providing communication security when communicating across the network.
When SSL is used correctly, a third-party observer can only infer the connection endpoints, type of encryption, as well as the frequency and an approximate amount of data sent, but cannot read or modify any of the actual data.
SSL 2.0 was the first publicly released version of the protocol, but it was quickly replaced by SSL 3.0 due to a number of discovered security flaws. Because the SSL protocol was proprietary to Netscape, the IETF formed an effort to standardize the protocol, resulting in RFC 2246, which was published in January 1999 and became known as TLS 1.0. Since then, the IETF has continued iterating on the protocol to address security flaws, as well as to extend its capabilities: TLS 1.1 (RFC 2246) was published in April 2006, TLS 1.2 (RFC 5246) in August 2008, and work is now underway to define TLS 1.3.
Feature
SSL
TLS
Full Name
Secure Socket layer
Transport layer security
Created By
Netscape in 1994
In 1994, IETF took over the maintenance of SSL and later renamed it
Note: The world used the mostly TLS over SSL.