WebGUI webserver will not protect a client from the BEAST attack

jimp · Jul 15, 2013, 2:47 PM

I went ahead and merged the patch since my testing showed it to be OK on all of the following:

Chrome 28 on Android 4.1.1
Browser on Android 4.1.1
Browser on Android 2.3.4
Chromium 27 on FreeBSD
Konquerer 4.10.5 on FreeBSD
Opera 12.16 on FreeBSD
Firefox 22 on Windows
Chrome 28 on Windows
IE 10 on Windows 8
Safari on iOS 6.1.3 (iPod Touch)
Chrome 27 on iOS 6.1.3 (iPod Touch)
Safari 6 on OS X 10.8.2
Chrome 28 on OS X 10.8.2

If anyone wants to try it on other browsers not listed there, it would still be appreciated. Just upgrade to a current snapshot and try any browser you can get your hands on.

Derelict · Jul 15, 2013, 9:05 PM

Just updated to Mon Jul 15 03:12:06 i386 NanoBSD and neither Firefox 22 nor Safari can establish an SSL connection (OS X 10.8.4).

Firefox reports: "SSL received a record with an incorrect Message Authentication Code. Error Code ssl_error_bad_mac_read"

ETA: Also get an ERR_SSL_PROTOCOL_ERROR on Chrome 28.0.1500.71

Derelict · Jul 16, 2013, 10:12 PM

OpenSSL s_client output

$ /usr/bin/openssl s_client -connect 172.30.30.1:443
CONNECTED(00000003)
depth=0 /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
verify return:1
–-
Certificate chain
0 s:/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
i:/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address

Server certificate
-----BEGIN CERTIFICATE-----
MIIEKDCCA5GgAwIBAgIJAIUV0hK0KPANMA0GCSqGSIb3DQEBCwUAMIG/MQswCQYD
VQQGEwJVUzESMBAGA1UECBMJU29tZXdoZXJlMREwDwYDVQQHEwhTb21lY2l0eTEU
MBIGA1UEChMLQ29tcGFueU5hbWUxLzAtBgNVBAsTJk9yZ2FuaXphdGlvbmFsIFVu
aXQgTmFtZSAoZWcsIHNlY3Rpb24pMSQwIgYDVQQDExtDb21tb24gTmFtZSAoZWcs
IFlPVVIgbmFtZSkxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MwHhcNMTMw
NzA5MDgwNDU2WhcNMTgxMjMwMDgwNDU2WjCBvzELMAkGA1UEBhMCVVMxEjAQBgNV
BAgTCVNvbWV3aGVyZTERMA8GA1UEBxMIU29tZWNpdHkxFDASBgNVBAoTC0NvbXBh
bnlOYW1lMS8wLQYDVQQLEyZPcmdhbml6YXRpb25hbCBVbml0IE5hbWUgKGVnLCBz
ZWN0aW9uKTEkMCIGA1UEAxMbQ29tbW9uIE5hbWUgKGVnLCBZT1VSIG5hbWUpMRww
GgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDRoDMwP9ae97B5IheY4MZ8euLNoYMupCzAssPq4561Rr57K5pVAspL
pdHwD0oLkQMUopHrUU+qulcT4+RlHA0SGYP7bluyLAgAOaZmNWFLa1loglhdAKcB
iJo1NaSLC73uP/j5LWlOPjJ8NQCFt2Bchs57rRGlVSkDHJPd3Dgt0wIDAQABo4IB
KDCCASQwHQYDVR0OBBYEFG1bzWWh5eS1rdjTY2YGwcnme3cmMIH0BgNVHSMEgeww
gemAFG1bzWWh5eS1rdjTY2YGwcnme3cmoYHFpIHCMIG/MQswCQYDVQQGEwJVUzES
MBAGA1UECBMJU29tZXdoZXJlMREwDwYDVQQHEwhTb21lY2l0eTEUMBIGA1UEChML
Q29tcGFueU5hbWUxLzAtBgNVBAsTJk9yZ2FuaXphdGlvbmFsIFVuaXQgTmFtZSAo
ZWcsIHNlY3Rpb24pMSQwIgYDVQQDExtDb21tb24gTmFtZSAoZWcsIFlPVVIgbmFt
ZSkxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3OCCQCFFdIStCjwDTAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBALL7gvNQsBG5RLUsvKYNxd+KFrzQ
QR30syfu4MDNrgrogzRAU4YG6w4uGXDNzeWqnsYPY2vY/bcObabU3loOTaonL43m
BDQP5Ny61ugJ8+dGEzDaNdYnLDhXAs2T3s7RV886bi5EMhaXHIWEZHrFmwWbCDHz
+of9cfWPcrPJU7k7
-----END CERTIFICATE-----
subject=/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
issuer=/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address

No client certificate CA names sent

SSL handshake has read 1225 bytes and written 316 bytes

New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: E2B56E5E4D6290A0F106A3501BB6CF184C2687EDE09D6FF9BF063166E67DE34C
Session-ID-ctx:
Master-Key: CD81CF270A34757E39CD1C359D4115BA944B88CDDB1FCC343F7ADF4BD8F994DE8C75A966ADC631C0D796BF894311FDFA
Key-Arg : None
Start Time: 1374012478
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

GET / HTTP/1.1
1185:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s3_pkt.c:431:
$

Klaws · Jul 17, 2013, 1:18 PM

I very vaguely remember to have heard that Firefox and Chrome do not accept self-signed certificates under MacOS.

Let me have a look…Google leads to this: http://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate (scroll a bit down to the answer beginning with "On the Mac"). Well, the OP claims that FF works - maybe my memory concerning this issue was a bit dim.

jimp · Jul 17, 2013, 1:35 PM

The only issue I'm aware of in FF is that it won't take self-signed certs using an IPv6 IP address in the URL (but by hostname it's fine) on any OS, last I tried it.

I tried Safari and FF on OSX and they worked for me, but I am a couple point releases behind on there.

Supermule · Jul 17, 2013, 2:02 PM

Have you ever tried browsershots.org?

Derelict · Jul 17, 2013, 3:50 PM

Self-signed certs work fine. The only place I am seeing this is on webConfigurator on my test soekris with later 2.1 snapshots.

Note that raw openssl s_client fails the same way and has nothing to do with any of the browsers.

dhatz · Jul 17, 2013, 4:12 PM

@Derelict:

Self-signed certs work fine. The only place I am seeing this is on webConfigurator on my test soekris with later 2.1 snapshots.

Note that raw openssl s_client fails the same way and has nothing to do with any of the browsers.

I tried
/usr/bin/openssl s_client -connect pfsense_ip:port
from 3 different systems using openssl 0.9.8o to 1.0.1e and didn't notice any ill effects …

The new settings also work with every web browser I've tried on Windows and Linux.

doktornotor · Jul 17, 2013, 4:16 PM

@dhatz:

The new settings also work with every web browser I've tried on Windows and Linux.

Ditto, just WFM. SCNR - bitten fruit co. sucks once again.

Derelict · Jul 17, 2013, 5:36 PM

So this has degenerated into "blame apple" already? Ok.

I don't know that it's not localized to this laptop, but all I did was update the snapshot on the soekris and what was working fine is now not.

jimp · Jul 17, 2013, 5:39 PM

It isn't really even Apple in general, all my other Apple tests were OK (iOS and OS X) so it could be specific to that laptop, that version of OS X, or something else.

Until we get some more feedback from others, anything is speculation.

Can you hit that same firewall with any other browser on another OS?
Can you run a firmware upgrade on it again (using ssh or the console) to see if anything is different?

Derelict · Jul 17, 2013, 6:23 PM

I just put my 10.6.8 iMac on it. Same thing using Firefox.

Grabbed a random laptop. Vista. IE says it can't connect and Firefox gives me the same ssl_error_bad_mac_read.

Looks like it's something on this pfSense install.

I am going to save my config (in case anyone needs to see it later), wipe the config, reconfigure and see what happens.

If it still exhibits the same behavior I'll re-flash the CF from the latest snapshot and try it again.

Derelict · Jul 17, 2013, 7:00 PM

Erasing the config and starting over did not fix it.

Derelict · Jul 18, 2013, 6:19 AM

So I took the Soekris home and reimaged the CF with gzcat pfSense-2.1-RC0-4g-i386-nanobsd-20130717-1018.img.gz | dd of=/dev/disk4 bs=64k

On my first connection to http://192.168.1.1/ I am redirected to 443, prompted to confirm the self-signed certificate, and get ssl_error_bad_mac_read.

Maybe this is nanobsd specific? HIFN specific?

All I know is it isn't working for me on this hardware since the BEAST fix was merged.

For grins I removed the HIFN card and tried it again. Worked fine.

Replaced the HIFN card, failed again.

I think it's something to do with HIFN somehow.

jimp · Jul 18, 2013, 12:13 PM

Aha, that could be it. Wouldn't be the first time a crypto card caused something like that to happen.

The Hifn card may not like the cipher being chosen by default.

I guess I'll have to put in a checkbox somewhere and restore the old behavior by default with a note about some crypto accelerators not supporting it.

I have a Hifn card here somewhere but it's not currently in my ALIX. I can swap it in and test.

jimp · Jul 18, 2013, 12:44 PM

Yep, I put the Hifn in and the GUI won't load. Easy to reproduce it that way.

jimp · Jul 18, 2013, 1:36 PM

OK it's now off by default and a checkbox option:
https://github.com/pfsense/pfsense/commit/30adceda1fffe160d18bdcbcaccb0da5de000fdf

I have the code disable the option in the GUI if it detects a Hifn card and also if the option is somehow set (restoring a config?) and it detects a Hifn card it will refuse to honor the option.

Should result in a working GUI no matter how someone tries to break it. :-)

Derelict · Jul 18, 2013, 10:25 PM

All works for me now. Thanks.

dweimer · Jul 19, 2013, 1:35 AM

Interesting, I found this thread after hitting the problem 7-16, I fixed it by logging in through ssh and manually entering the update url for the 14th. I was checking back today to see if the problem was solved. And yes I do have a Hifn 7955 in an Alix.6e1 that it was installed on, I didn't test pulling the card out to see if it fixed it, as I didn't expect that to be an issue.

Aug 15, 2013, 6:25 PM

@dhatz:

After changing lighttpd config file to include:

ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"

Hello

A question: Why do you actually disallow AESGCM instead of putting it at the very front of the cipher order?