View Revisions: Issue #5158

Summary 0005158: Support old ciphers and old crypto protocols in various tools
Revision 2018-12-14 11:02 by rhertzog
Description To increase the security of many tools, old (broken security-wise) crypto protocols have been dropped (or disabled by default) from OpenSSL and other libraries.

This is the case of SSLv2 for example (support dropped a long time ago) and TLSv1.0/TLSv1.1 is currently disabled by default (see MinProtocol in /etc/ssl/openssl.conf, change re-introduced in 1.1.1-2 see https://tracker.debian.org/news/998835/accepted-openssl-111-2-source-into-unstable/ and former revert in 0004238).

In the context of a penetration testing distribution, this is problematic because it doesn't let you connect/inspect services using those old crypto protocols.

There are various ways to work-around this limitation:
- the tool itself can use the OpenSSL API to re-enable support for things that are disabled by default
- the tool can be built against an old version of OpenSSL still supporting the desired protocols (sslscan is an example of this, see 0000146, same for sslyze see 0002106).

So we should look into some ways to have an openssl package supporting as many of those old protocols as possible.
Revision 2018-12-14 10:55 by rhertzog
Description To increase the security of many tools, old (broken security-wise) crypto protocols have been dropped (or disabled by default) from OpenSSL and other libraries.

This is the case of SSLv2 for example (support dropped) and TLSv1.0/TLSv1.1 is currently disabled by default (see MinProtocol in /etc/ssl/openssl.conf).

In the context of a penetration testing distribution, this is problematic because it doesn't let you connect/inspect services using those old crypto protocols.

There are various ways to work-around this limitation:
- the tool itself can use the OpenSSL API to re-enable support for things that are disabled by default
- the tool can be built against an old version of OpenSSL still supporting the desired protocols (sslscan is an example of this, see 0000146, same for sslyze see 0002106).

So we should look into some ways to have an openssl package supporting as many of those old protocols as possible.