NetBSD Problem Report #58878

From www@netbsd.org  Fri Dec  6 01:03:00 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits)
	 client-signature RSA-PSS (2048 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id B76701A9238
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  6 Dec 2024 01:03:00 +0000 (UTC)
Message-Id: <20241206010259.6F9D81A923B@mollari.NetBSD.org>
Date: Fri,  6 Dec 2024 01:02:59 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: bozohttpd rejects tls1.1 and tls1.2 by default
X-Send-Pr-Version: www-1.0

>Number:         58878
>Category:       bin
>Synopsis:       bozohttpd rejects tls1.1 and tls1.2 by default
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mrg
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Dec 06 01:05:00 +0000 2024
>Last-Modified:  Fri Dec 06 01:51:31 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10
>Organization:
The NetBozo1.3 Foundation
>Environment:
>Description:
Since merging support for restricting TLS versions as part of https://gnats.netbsd.org/55830, bozohttpd(8) has defaulted to _rejecting_ TLSv1.1 and TLSv1.2 by default, accepting only TLSv1.3.

     79 /* Default to TLS 1.3. */
     80 struct {
     81 	unsigned	proto;
     82 	const char	*name;
     83 } protos[] = {
     84 	{ TLS1_3_VERSION, "TLSv1.3" },
     85 	{ TLS1_2_VERSION, "TLSv1.2" },
     86 	{ TLS1_1_VERSION, "TLSv1.1" },
     87 	{ 0, NULL },
     88 };
     89 
     90 static int
     91 bozo_ssl_proto(const char *name)
     92 {
     93 	unsigned i;
     94 
     95 	if (name)
     96 		for (i = 0; protos[0].proto != 0; i++)
     97 			if (strcasecmp(name, protos[i].name) == 0)
     98 				return protos[i].proto;
     99 	return protos[0].proto;
    100 }

https://nxr.netbsd.org/xref/src/libexec/httpd/ssl-bozo.c?r=1.34#79

    265 	proto = bozo_ssl_proto(httpd->ssl_min_proto);
    266 
    267 	if (!SSL_CTX_set_min_proto_version(sslinfo->ssl_context, proto))

https://nxr.netbsd.org/xref/src/libexec/httpd/ssl-bozo.c?r=1.34#265

Thus, if you don't specify `bozohttpd -m TLSv1.1', bozohttpd will reject TLSv1.1 and TLSv1.2.
>How-To-Repeat:
1. run bozohttpd at example.com
2. curl --head --tls-max 1.1 https://example.com
>Fix:
Yes, please!

I think it would be reasonable to defer the default choice to OpenSSL instead of insisting on TLSv1.3.  (While TLSv1.3 is certainly better than 1.1 and 1.2, there are plenty clients that still use those -- like Fastly...  They aren't quite as obsolete as SSLv2 or SSLv3 are today.)

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: bin-bug-people->mrg
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Fri, 06 Dec 2024 01:51:31 +0000
Responsible-Changed-Why:
over to the friendly neighbourhood bozo


>Unformatted:

Home	PR Database Search