View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001382 | bareos-core | file daemon | public | 2021-09-01 16:58 | 2022-12-08 09:48 |
Reporter | Shodan | Assigned To | bruno-at-bareos | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Linux | OS | Debian | OS Version | 10 |
Product Version | 20.0.2 | ||||
Summary | 0001382: Allow to block TLS protocol versions | ||||
Description | Allow to block specified TLS protocol versions in config. For example "TLS Protocols = !SSLv2, !SSLv3, !TLSv1" Insecured version TLSv1.0 is enabled by default in bareos filedaemon and cannot be disabled, even with "TLS Enable = no" in bareos-fd.conf For example "TLS Protocols = !SSLv2, !SSLv3, !TLSv1" Nmap partial output for client with "TLS Enable = no" nmap --script ssl-enum-ciphers -p 9102 10.156.103.1 PORT STATE SERVICE 9102/tcp open jetdirect | ssl-enum-ciphers: | TLSv1.0: | ciphers: | ||||
Steps To Reproduce | Run bareos fileagent with "TLS Enable = no" Run nmap --script ssl-enum-ciphers -p 9102 bareos_fd_host | ||||
Tags | No tags attached. | ||||
Would you please share the configuration of the FD, so we can try to reproduce it? You might also have fallen for the (unpleasant) fact that you need to quote the parameter to TLS Protocols if it contains multiple values, as it needs to be one single string that is passed to OpenSSL. |
|
I just tried it myself again. I can confirm that setting "TLS Enable = no" does not disable TLS support entirely. However, setting the following forces the use of at least TLS v1.2 (i.e. nmap doesn't show anything besides TLS 1.2 and 1.3 anymore): TLS Protocol = "!TLSv1, !TLSv1.1" I understand that we should improve the documentation concerning this and we should probably support multiple values when using TLS Protocol unquoted or at least warn about it. |
|
Thank you! Please close the ticket, if required. |
|
Right now there is no way you could have known how to configure this correctly. So I think I'll keep the bug open till the documentation has been improved. |
|
FYI bareos-filedaemon throws an error with TLS Protocol = "!TLSv1, !TLSv1.1" "SSL routines:SSL_CONF_cmd:bad value" This line works for me TLS Protocol = "-TLSv1, -TLSv1.1" |
|
I have been trying to disable TLS < 1.2 on CentOS 7 hosts. None of these settings on 20.0.4 work: I have tried TLS Protocol = "-TLSv1, -TLSv1.1" TLS Protocol = "!TLSv1, !TLSv1.1" TLS Protocol = "TLSv1.2" No errors. But never any changes. This also applies to TLS Cipher List on CentOS 8 (C8 seems to use TLSv1.2 by defualt?) ; no matter what I fill in it doesn't error, or change the outcome (e.g TLS Cipher List = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" CENTOS 7 nmap --script ssl-enum-ciphers -p 9102 MyHost Starting Nmap 7.70 ( https://nmap.org ) at 2021-11-30 13:14 GMT Nmap scan report for xxxx (172.16.167.8) Host is up (0.00023s latency). PORT STATE SERVICE 9102/tcp open jetdirect | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_PSK_WITH_3DES_EDE_CBC_SHA - unknown | TLS_PSK_WITH_AES_128_CBC_SHA - unknown | TLS_PSK_WITH_AES_256_CBC_SHA - unknown | TLS_PSK_WITH_RC4_128_SHA - unknown | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | TLSv1.1: | ciphers: | TLS_PSK_WITH_3DES_EDE_CBC_SHA - unknown | TLS_PSK_WITH_AES_128_CBC_SHA - unknown | TLS_PSK_WITH_AES_256_CBC_SHA - unknown | TLS_PSK_WITH_RC4_128_SHA - unknown | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | TLSv1.2: | ciphers: | TLS_PSK_WITH_3DES_EDE_CBC_SHA - unknown | TLS_PSK_WITH_AES_128_CBC_SHA - unknown | TLS_PSK_WITH_AES_256_CBC_SHA - unknown | TLS_PSK_WITH_RC4_128_SHA - unknown | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 |_ least strength: unknown Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds CENTOS8 nmap --script ssl-enum-ciphers -p 9102 MyHost2 Starting Nmap 7.70 ( https://nmap.org ) at 2021-11-30 13:48 GMT Nmap scan report for (172.16.167.24) Host is up (0.00025s latency). PORT STATE SERVICE 9102/tcp open jetdirect | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_PSK_WITH_3DES_EDE_CBC_SHA - unknown | TLS_PSK_WITH_AES_128_CBC_SHA - unknown | TLS_PSK_WITH_AES_128_CBC_SHA256 - unknown | TLS_PSK_WITH_AES_128_CCM - unknown | TLS_PSK_WITH_AES_128_CCM_8 - unknown | TLS_PSK_WITH_AES_128_GCM_SHA256 - unknown | TLS_PSK_WITH_AES_256_CBC_SHA - unknown | TLS_PSK_WITH_AES_256_CBC_SHA384 - unknown | TLS_PSK_WITH_AES_256_CCM - unknown | TLS_PSK_WITH_AES_256_CCM_8 - unknown | TLS_PSK_WITH_AES_256_GCM_SHA384 - unknown | TLS_PSK_WITH_ARIA_128_GCM_SHA256 - unknown | TLS_PSK_WITH_ARIA_256_GCM_SHA384 - unknown | TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - unknown | TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 - unknown | TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - unknown | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack |_ least strength: unknown Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds |
|
I just tested it again and it works as I expected (and found out when I first tested it). Where exactly do you set the parameters? They need to be in the FD's Client resource (usually in /etc/bareos-fd/client/myself.conf) |
|
Many thanks arogee! I had the directives in /etc/bareos/bareos-fd.d/director/bareos-dir.conf in Director {) where I have "TLS Require" and "TLS Enable" However, after your message, I have placed them in /etc/bareos/bareos-fd.d/client/myself.conf Client {) TLS Protocol = "-TLSv1,-TLSv1.1" does indeed work. TLS Protocol = "TLSv1.2" does not however. Schoolboy error on my part. |
|
Neverming. As I noted earlier: the documentation on this is *really* lacking. | |
Hello, just to warn you guys, that we try to improve the situation, and to ease life of everybody, we want to document all the step needed. So the PR1319 https://github.com/bareos/bareos/pull/1319 is an ongoing effort, and if you want to read builded documentation you can go there in a few when the PR will finish its first build. https://download.bareos.org/bareos/experimental/CD/PR-1319/BareosMainReference/TasksAndConcepts/TransportEncryption.html#tls-restricting-protocol-and-cipher I will appreciate, if some of you would like to read proof and test the procedure, before we merge the PR. |
|
PR1319 has been merged into master. | |
Date Modified | Username | Field | Change |
---|---|---|---|
2021-09-01 16:58 | Shodan | New Issue | |
2021-09-02 14:40 | arogge | Assigned To | => arogge |
2021-09-02 14:40 | arogge | Status | new => feedback |
2021-09-02 14:40 | arogge | Note Added: 0004245 | |
2021-09-02 15:43 | arogge | Note Added: 0004246 | |
2021-09-03 09:01 | Shodan | Note Added: 0004247 | |
2021-09-03 09:01 | Shodan | Status | feedback => assigned |
2021-09-03 10:54 | arogge | Note Added: 0004248 | |
2021-09-09 13:29 | Shodan | Note Added: 0004258 | |
2021-11-30 14:49 | db10 | Note Added: 0004372 | |
2021-11-30 15:04 | arogge | Note Added: 0004373 | |
2021-11-30 15:44 | db10 | Note Added: 0004374 | |
2021-11-30 15:49 | arogge | Note Added: 0004375 | |
2022-11-22 17:10 | bruno-at-bareos | Assigned To | arogge => bruno-at-bareos |
2022-11-24 16:17 | bruno-at-bareos | Note Added: 0004834 | |
2022-12-08 09:48 | bruno-at-bareos | Status | assigned => closed |
2022-12-08 09:48 | bruno-at-bareos | Resolution | open => fixed |
2022-12-08 09:48 | bruno-at-bareos | Note Added: 0004835 |