7

In case you missed it - an OpenSSL vulnerability in the implementation of the TLS Heartbeat Extension has been making the rounds. For more information see http://heartbleed.com/.

One of the possible mitigation steps is to recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS option to disable the vulnerable extension.

Why does a system administrator have to recompile the library to disable an extension? Why isn't there a configuration option? Would have made a short term remediation much easier.

My best guess that this is a high performance library and as a library by it's nature does not have a configuration file as services do. Searching through Apache mod_ssl and Nginx HttpSslModule documentation I didn't see anything that would allow me to disable the Heartbeat functionality via configuration. Shouldn't this be an option?

-EDIT-

To clarify, everyone affected needs to revoke and replace affected SSL certificates. The primary problem here is that the vulnerability allowed anyone to pull 64 KB of application memory from a vulnerable server. This could have easily been addressed with a configuration option. Having to revoke and replace SSL certificates is a secondary consequence of this vulnerability, among other concerns with regards to what type of data (usernames, passwords, session info...) could have been leaked from application memory.

-EDIT2-

To clarify - by configuration I don't mean the configuration when compiling OpenSSL. I meant configuration in the web server. For instance, with apache mod_ssl, I can configure a range of options that affect SSL, such as the Cipher Suites available.

Community
  • 1
  • 1
RyPeck
  • 7,830
  • 3
  • 38
  • 58
  • Also if you think this might be better placed in infosec let me know. – RyPeck Apr 09 '14 at 15:20
  • 3
    Probably the answer is http://webcache.googleusercontent.com/search?q=cache:2qnrneYGM80J:https://www.peereboom.us/assl/assl/html/openssl.html – VBart Apr 09 '14 at 17:39
  • @VBart you are actually the second person to post that answer - the other guy's comment got removed. – RyPeck Apr 09 '14 at 20:03
  • I've looked into OpenSSL a few times and share [PHK](http://en.wikipedia.org/wiki/Poul-Henning_Kamp)'s opinion: http://lists.freebsd.org/pipermail/freebsd-security/2013-September/007168.html – VBart Apr 10 '14 at 07:45
  • I disagree. Either way, you still have to re-key all your SSL certs generated with the vulnerable version of OpenSSL. – Alexej Magura Apr 15 '14 at 22:34
  • @AlexejMagura - Not sure with what you "disagree" about. I edited my question to clarify anyway. – RyPeck Apr 15 '14 at 22:51
  • possible duplicate of [Is SSL\_CTX\_set\_options() the reason why OpenSSL folk used a compile time OPENSSL\_NO\_HEARTBEATS to disable TLSv1 Heartbeats?](http://stackoverflow.com/questions/23041550/is-ssl-ctx-set-options-the-reason-why-openssl-folk-used-a-compile-time-openssl) – jww Apr 17 '14 at 02:49
  • "Why isn't there a configuration option?" is answered at [Is SSL_CTX_set_options() the reason why OpenSSL folk used a compile time OPENSSL_NO_HEARTBEATS to disable TLSv1 Heartbeats?](https://stackoverflow.com/questions/23041550/is-ssl-ctx-set-options-the-reason-why-openssl-folk-used-a-compile-time-openssl). To answer "Shouldn't this be an option?" - yes, I think so. But there are no options left in the bitmask. – jww Apr 17 '14 at 02:52
  • @VBart - I'm not sure that Peereboom or Kamp's opinion of OpenSSL code applies for the questions at hand. Could you explain it to me? (And I share a lot of the same complaints with Peereboom and Kamp). – jww Apr 17 '14 at 03:02
  • @jww It's simple. There is no such option in OpenSSL to disable answering to heartbeat message. Therefore there is no way to do it in Apache or nginx. – VBart Apr 17 '14 at 13:14
  • The funny thing is that there is an option in OpenSSL to tell a client that it's not allowed to sedn Heartbeat, but if the client will ignore this request (and an attacker definitely will), then OpenSSL handles Heartbeat as usual, like it was allowed. And this behaviour violates RFC 6520, that requires: "_If an endpoint that has indicated peer_not_allowed_to_send receives a HeartbeatRequest message, the endpoint SHOULD drop the message silently and MAY send an unexpected_message Alert message._" – VBart Apr 17 '14 at 13:20
  • @VBart: "Therefore there is no way to do it in Apache or nginx..." - that may well be, but that appears to be his observation in the 4th paragraph (and the lack of an OpenSSL configuration file was wrong). The questions were in the 3rd paragraph. – jww Apr 17 '14 at 15:30
  • @jww so there is a way to enable/disable options in OpenSSL? But not a configuration file per say? – RyPeck Apr 17 '14 at 20:23

3 Answers3

2

I don't have knowledge of the programmers' state of mind when they made this decision but yes - a library is not going to be used in a well-defined scenario or two, it's going to be used however someone coded the main() to call it

If you really want to disable an option then compiling it out seems to me to be the best and safest route.

DavidF
  • 86
  • 6
1

Compile Flags vs Configuration Options - TLS Heartbeat

That's easy... Its detailed on the OpenSSL wiki under Configuration Options at Compilation and Installation: at configuration time, just add -DOPENSSL_NO_HEARTBEATS.

So you seem to have found the configuration option. The configuration option gets written to <openssl install>/include/openssl/opensslconf.h, so it flows to compile time, too.

That only leaves runtime (see below for that).

Why does a system administrator have to recompile the library to disable an extension?

You should not have to. Your distribution should provide it for you. But they will likely provide it in their build.

Sometimes you may need to find it from a "Personal Archive", like a PPA on Ubuntu.

(Ubuntu does some dumb things on occasion, like disabling TLS 1.1 and 1.2 in OpenSSL and disabling TLS 1.1 and 1.2 in OpenJDK. Its 2015, and they still have not been enabled).

Why isn't there a configuration option?

There is, and its published. You seem to have found it.

There's also a runtime option:

openssl-1.0.2a$ grep -R -A 1 -i heartbeat *
...
include/openssl/tls1.h:#  define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
include/openssl/tls1.h:      SSL_ctrl((ssl),SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)
...

And:

include/openssl/ssl.h:#  define SSL_heartbeat(ssl) \
include/openssl/ssl.h:      SSL_ctrl((ssl),SSL_CTRL_TLS_EXT_SEND_HEARTBEAT,0,NULL)

Would have made a short term remediation much easier.

The one that chaps my ass is the TLS_FALLBACK_SCSV. You cannot disable it at configuration time, at compile time, or at runtime. Its more insecure browser crap that leaked its way into other user agents and software....

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
0

If you start working on compiling openssl, I would suggest to compile a "more secure" version of openssl for your needs. Not only disable heartbeat (-DOPENSSL_NO_HEARTBEATS) but also disable all unnecessary options in openssl.

user3589953
  • 1
  • 1