View Issue Details

IDProjectCategoryView StatusLast Update
0001382bareos-core[All Projects] file daemonpublic2021-09-09 13:29
ReporterShodanAssigned Toarogge 
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
PlatformLinuxOSDebianOS Version10
Product Version20.0.2 
Fixed in Version 
Summary0001382: Allow to block TLS protocol versions
DescriptionAllow to block specified TLS protocol versions in config. For example "TLS Protocols = !SSLv2, !SSLv3, !TLSv1"
Insecured version TLSv1.0 is enabled by default in bareos filedaemon and cannot be disabled, even with "TLS Enable = no" in bareos-fd.conf
For example "TLS Protocols = !SSLv2, !SSLv3, !TLSv1"

Nmap partial output for client with "TLS Enable = no"
nmap --script ssl-enum-ciphers -p 9102 10.156.103.1
PORT STATE SERVICE
9102/tcp open jetdirect
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
Steps To ReproduceRun bareos fileagent with "TLS Enable = no"
Run nmap --script ssl-enum-ciphers -p 9102 bareos_fd_host
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

arogge

arogge

2021-09-02 14:40

developer   ~0004245

Would you please share the configuration of the FD, so we can try to reproduce it?
You might also have fallen for the (unpleasant) fact that you need to quote the parameter to TLS Protocols if it contains multiple values, as it needs to be one single string that is passed to OpenSSL.
arogge

arogge

2021-09-02 15:43

developer   ~0004246

I just tried it myself again.
I can confirm that setting "TLS Enable = no" does not disable TLS support entirely.
However, setting the following forces the use of at least TLS v1.2 (i.e. nmap doesn't show anything besides TLS 1.2 and 1.3 anymore):

TLS Protocol = "!TLSv1, !TLSv1.1"

I understand that we should improve the documentation concerning this and we should probably support multiple values when using TLS Protocol unquoted or at least warn about it.
Shodan

Shodan

2021-09-03 09:01

reporter   ~0004247

Thank you!
Please close the ticket, if required.
arogge

arogge

2021-09-03 10:54

developer   ~0004248

Right now there is no way you could have known how to configure this correctly.
So I think I'll keep the bug open till the documentation has been improved.
Shodan

Shodan

2021-09-09 13:29

reporter   ~0004258

FYI
bareos-filedaemon throws an error with TLS Protocol = "!TLSv1, !TLSv1.1"
"SSL routines:SSL_CONF_cmd:bad value"

This line works for me
TLS Protocol = "-TLSv1, -TLSv1.1"

Issue History

Date Modified Username Field Change
2021-09-01 16:58 Shodan New Issue
2021-09-02 14:40 arogge Assigned To => arogge
2021-09-02 14:40 arogge Status new => feedback
2021-09-02 14:40 arogge Note Added: 0004245
2021-09-02 15:43 arogge Note Added: 0004246
2021-09-03 09:01 Shodan Note Added: 0004247
2021-09-03 09:01 Shodan Status feedback => assigned
2021-09-03 10:54 arogge Note Added: 0004248
2021-09-09 13:29 Shodan Note Added: 0004258