[Bug 1934040] [NEW] openssl s_client's '-ssl2' & '-ssl3' options gone, prematurely!

[Bill Yikes]

Public bug reported:

SSL2 and SSL3 have been hastily removed, apparently by developers who
are unaware that these protocols serve purposes other than encryption.
SSL2/3 is *still used* on onion sites.  Why?  For verification.  An
onion site has inherent encryption, so it matters not how weak the SSL
crypto is when the purpose is purely to verify that the server is owned
by who they say it's owned by.

Proof that disclosure attacks on ssl2/3 are irrelevant to onion sites:

https://blog.torproject.org/tls-certificate-for-onion-site

So here is a real world impact case.  Suppose you get your email from
one of these onion mail servers:

http://onionmail.info/directory.html

Some (if not all) use ssl2/3 on top of Tor's inherent onion tunnel.
They force users to use ssl2/3, so even if a user configures the client
not to impose TLS, the server imposes it.  And it's reasonable because
the ssl2/3 vulns are orthoganol to the use case.

Some users will get lucky and use a mail client that still supports
ssl2/3.  But there's still a problem: users can no longer use openssl to
obtain the fingerprint to pin.  e.g.

$ openssl s_client -proxy 127.0.0.1:8118 -connect xhfheq5i37waj6qb.onion:110 -showcerts
CONNECTED(00000003)
140124399195456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 44 bytes and written 330 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

That's openssl version 1.1.1k

Being denied the ability to pin the SSL cert is actually a *degredation*
of security.  Cert Pinning is particularly useful with self-signed
certs, as is often the scenario with onion sites.

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  SSL2 and SSL3 have been hastily removed, apparently by developers who
  are unaware that these protocols serve purposes other than encryption.
  SSL2/3 is *still used* on onion sites.  Why?  For verification.  An
  onion site has inherent encryption, so it matters not how weak the SSL
  crypto is when the purpose is purely to verify that the server is owned
  by who they say it's owned by.
  
  Proof that disclosure attacks on ssl2/3 are irrelevant to onion sites:
  
  https://blog.torproject.org/tls-certificate-for-onion-site
  
  So here is a real world impact case.  Suppose you get your email from
  one of these onion mail servers:
  
  http://onionmail.info/directory.html
  
  Some (if not all) use ssl2/3 on top of Tor's inherent onion tunnel.
  They force users to use ssl2/3, so even if a user configures the client
  not to impose TLS, the server imposes it.  And it's reasonable because
  the ssl2/3 vulns are orthoganol to the use case.
  
  Some users will get lucky and use a mail client that still supports
  ssl2/3.  But there's still a problem: users can no longer use openssl to
  obtain the fingerprint to pin.  e.g.
  
  $ openssl s_client -proxy 127.0.0.1:8118 -connect xhfheq5i37waj6qb.onion:110 -showcerts
  CONNECTED(00000003)
  140124399195456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 44 bytes and written 330 bytes
  Verification: OK
  ---
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  No ALPN negotiated
  Early data was not sent
  Verify return code: 0 (ok)
  ---
  
+ That's openssl version 1.1.1k
  
- That's openssl version 1.1.1k
+ Being denied the ability to pin the SSL cert is actually a *degredation*
+ of security.  Cert Pinning is particularly useful with self-signed
+ certs, as is often the scenario with onion sites.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1934040

Title:
  openssl s_client's '-ssl2' & '-ssl3' options gone, prematurely!

Status in openssl package in Ubuntu:
  New

Bug description:
  SSL2 and SSL3 have been hastily removed, apparently by developers who
  are unaware that these protocols serve purposes other than encryption.
  SSL2/3 is *still used* on onion sites.  Why?  For verification.  An
  onion site has inherent encryption, so it matters not how weak the SSL
  crypto is when the purpose is purely to verify that the server is
  owned by who they say it's owned by.

  Proof that disclosure attacks on ssl2/3 are irrelevant to onion sites:

  https://blog.torproject.org/tls-certificate-for-onion-site

  So here is a real world impact case.  Suppose you get your email from
  one of these onion mail servers:

  http://onionmail.info/directory.html

  Some (if not all) use ssl2/3 on top of Tor's inherent onion tunnel.
  They force users to use ssl2/3, so even if a user configures the
  client not to impose TLS, the server imposes it.  And it's reasonable
  because the ssl2/3 vulns are orthoganol to the use case.

  Some users will get lucky and use a mail client that still supports
  ssl2/3.  But there's still a problem: users can no longer use openssl
  to obtain the fingerprint to pin.  e.g.

  $ openssl s_client -proxy 127.0.0.1:8118 -connect xhfheq5i37waj6qb.onion:110 -showcerts
  CONNECTED(00000003)
  140124399195456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 44 bytes and written 330 bytes
  Verification: OK
  ---
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  No ALPN negotiated
  Early data was not sent
  Verify return code: 0 (ok)
  ---

  That's openssl version 1.1.1k

  Being denied the ability to pin the SSL cert is actually a
  *degredation* of security.  Cert Pinning is particularly useful with
  self-signed certs, as is often the scenario with onion sites.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1934040/+subscriptions