View Issue Details

IDProjectCategoryView StatusLast Update
0001382bareos-corefile daemonpublic2022-11-24 16:17
ReporterShodan Assigned Tobruno-at-bareos  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
PlatformLinuxOSDebianOS Version10
Product Version20.0.2 
Summary0001382: Allow to block TLS protocol versions
DescriptionAllow to block specified TLS protocol versions in config. For example "TLS Protocols = !SSLv2, !SSLv3, !TLSv1"
Insecured version TLSv1.0 is enabled by default in bareos filedaemon and cannot be disabled, even with "TLS Enable = no" in bareos-fd.conf
For example "TLS Protocols = !SSLv2, !SSLv3, !TLSv1"

Nmap partial output for client with "TLS Enable = no"
nmap --script ssl-enum-ciphers -p 9102 10.156.103.1
PORT STATE SERVICE
9102/tcp open jetdirect
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
Steps To ReproduceRun bareos fileagent with "TLS Enable = no"
Run nmap --script ssl-enum-ciphers -p 9102 bareos_fd_host
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

arogge

arogge

2021-09-02 14:40

developer   ~0004245

Would you please share the configuration of the FD, so we can try to reproduce it?
You might also have fallen for the (unpleasant) fact that you need to quote the parameter to TLS Protocols if it contains multiple values, as it needs to be one single string that is passed to OpenSSL.
arogge

arogge

2021-09-02 15:43

developer   ~0004246

I just tried it myself again.
I can confirm that setting "TLS Enable = no" does not disable TLS support entirely.
However, setting the following forces the use of at least TLS v1.2 (i.e. nmap doesn't show anything besides TLS 1.2 and 1.3 anymore):

TLS Protocol = "!TLSv1, !TLSv1.1"

I understand that we should improve the documentation concerning this and we should probably support multiple values when using TLS Protocol unquoted or at least warn about it.
Shodan

Shodan

2021-09-03 09:01

reporter   ~0004247

Thank you!
Please close the ticket, if required.
arogge

arogge

2021-09-03 10:54

developer   ~0004248

Right now there is no way you could have known how to configure this correctly.
So I think I'll keep the bug open till the documentation has been improved.
Shodan

Shodan

2021-09-09 13:29

reporter   ~0004258

FYI
bareos-filedaemon throws an error with TLS Protocol = "!TLSv1, !TLSv1.1"
"SSL routines:SSL_CONF_cmd:bad value"

This line works for me
TLS Protocol = "-TLSv1, -TLSv1.1"
db10

db10

2021-11-30 14:49

reporter   ~0004372

I have been trying to disable TLS < 1.2 on CentOS 7 hosts.
None of these settings on 20.0.4 work:

I have tried
TLS Protocol = "-TLSv1, -TLSv1.1"
TLS Protocol = "!TLSv1, !TLSv1.1"
TLS Protocol = "TLSv1.2"

No errors. But never any changes.

This also applies to TLS Cipher List on CentOS 8 (C8 seems to use TLSv1.2 by defualt?) ; no matter what I fill in it doesn't error, or change the outcome
(e.g

TLS Cipher List = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"


CENTOS 7
nmap --script ssl-enum-ciphers -p 9102 MyHost

Starting Nmap 7.70 ( https://nmap.org ) at 2021-11-30 13:14 GMT
Nmap scan report for xxxx (172.16.167.8)
Host is up (0.00023s latency).

PORT STATE SERVICE
9102/tcp open jetdirect
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - unknown
| TLS_PSK_WITH_AES_128_CBC_SHA - unknown
| TLS_PSK_WITH_AES_256_CBC_SHA - unknown
| TLS_PSK_WITH_RC4_128_SHA - unknown
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| TLSv1.1:
| ciphers:
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - unknown
| TLS_PSK_WITH_AES_128_CBC_SHA - unknown
| TLS_PSK_WITH_AES_256_CBC_SHA - unknown
| TLS_PSK_WITH_RC4_128_SHA - unknown
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| TLSv1.2:
| ciphers:
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - unknown
| TLS_PSK_WITH_AES_128_CBC_SHA - unknown
| TLS_PSK_WITH_AES_256_CBC_SHA - unknown
| TLS_PSK_WITH_RC4_128_SHA - unknown
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
|_ least strength: unknown

Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

CENTOS8
nmap --script ssl-enum-ciphers -p 9102 MyHost2
Starting Nmap 7.70 ( https://nmap.org ) at 2021-11-30 13:48 GMT
Nmap scan report for (172.16.167.24)
Host is up (0.00025s latency).

PORT STATE SERVICE
9102/tcp open jetdirect
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - unknown
| TLS_PSK_WITH_AES_128_CBC_SHA - unknown
| TLS_PSK_WITH_AES_128_CBC_SHA256 - unknown
| TLS_PSK_WITH_AES_128_CCM - unknown
| TLS_PSK_WITH_AES_128_CCM_8 - unknown
| TLS_PSK_WITH_AES_128_GCM_SHA256 - unknown
| TLS_PSK_WITH_AES_256_CBC_SHA - unknown
| TLS_PSK_WITH_AES_256_CBC_SHA384 - unknown
| TLS_PSK_WITH_AES_256_CCM - unknown
| TLS_PSK_WITH_AES_256_CCM_8 - unknown
| TLS_PSK_WITH_AES_256_GCM_SHA384 - unknown
| TLS_PSK_WITH_ARIA_128_GCM_SHA256 - unknown
| TLS_PSK_WITH_ARIA_256_GCM_SHA384 - unknown
| TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - unknown
| TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 - unknown
| TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - unknown
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: unknown

Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
arogge

arogge

2021-11-30 15:04

developer   ~0004373

I just tested it again and it works as I expected (and found out when I first tested it).
Where exactly do you set the parameters? They need to be in the FD's Client resource (usually in /etc/bareos-fd/client/myself.conf)
db10

db10

2021-11-30 15:44

reporter   ~0004374

Many thanks arogee!

I had the directives in
/etc/bareos/bareos-fd.d/director/bareos-dir.conf

in Director {) where I have "TLS Require" and "TLS Enable"

However, after your message, I have placed them in

/etc/bareos/bareos-fd.d/client/myself.conf

Client {)

TLS Protocol = "-TLSv1,-TLSv1.1"
does indeed work.

TLS Protocol = "TLSv1.2"
does not however.

Schoolboy error on my part.
arogge

arogge

2021-11-30 15:49

developer   ~0004375

Neverming. As I noted earlier: the documentation on this is *really* lacking.
bruno-at-bareos

bruno-at-bareos

2022-11-24 16:17

developer   ~0004834

Hello, just to warn you guys, that we try to improve the situation, and to ease life of everybody, we want to document all the step needed.

So the PR1319 https://github.com/bareos/bareos/pull/1319 is an ongoing effort, and if you want to read builded documentation you can go there in a few when the PR will finish its first build.

https://download.bareos.org/bareos/experimental/CD/PR-1319/BareosMainReference/TasksAndConcepts/TransportEncryption.html#tls-restricting-protocol-and-cipher

I will appreciate, if some of you would like to read proof and test the procedure, before we merge the PR.

Issue History

Date Modified Username Field Change
2021-09-01 16:58 Shodan New Issue
2021-09-02 14:40 arogge Assigned To => arogge
2021-09-02 14:40 arogge Status new => feedback
2021-09-02 14:40 arogge Note Added: 0004245
2021-09-02 15:43 arogge Note Added: 0004246
2021-09-03 09:01 Shodan Note Added: 0004247
2021-09-03 09:01 Shodan Status feedback => assigned
2021-09-03 10:54 arogge Note Added: 0004248
2021-09-09 13:29 Shodan Note Added: 0004258
2021-11-30 14:49 db10 Note Added: 0004372
2021-11-30 15:04 arogge Note Added: 0004373
2021-11-30 15:44 db10 Note Added: 0004374
2021-11-30 15:49 arogge Note Added: 0004375
2022-11-22 17:10 bruno-at-bareos Assigned To arogge => bruno-at-bareos
2022-11-24 16:17 bruno-at-bareos Note Added: 0004834