ssl module: the SSLv3 protocol is vulnerable ("POODLE" attack)

[vstinner]

BPO	22638
Nosy	@pitrou, @vstinner, @giampaolo, @tiran, @alex, @dstufft, @Lukasa, @rkuska, @Martiusweb
Files	issue22638.diff

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-01-06.13:38:18.903>
created_at = <Date 2014-10-14.23:11:15.855>
labels = ['type-security']
title = 'ssl module: the SSLv3 protocol is vulnerable ("POODLE" attack)'
updated_at = <Date 2015-01-06.13:38:18.902>
user = 'https://github.com/vstinner'

bugs.python.org fields:

activity = <Date 2015-01-06.13:38:18.902>
actor = 'pitrou'
assignee = 'none'
closed = True
closed_date = <Date 2015-01-06.13:38:18.903>
closer = 'pitrou'
components = []
creation = <Date 2014-10-14.23:11:15.855>
creator = 'vstinner'
dependencies = []
files = ['36926']
hgrepos = []
issue_num = 22638
keywords = ['patch', 'needs review']
message_count = 46.0
messages = ['229368', '229369', '229370', '229371', '229372', '229373', '229374', '229375', '229376', '229377', '229378', '229379', '229380', '229381', '229382', '229383', '229385', '229403', '229408', '229410', '229411', '229417', '229423', '229432', '229437', '229439', '229440', '229444', '229445', '229586', '229587', '229588', '229650', '231517', '231518', '231522', '231523', '231524', '231558', '231559', '231560', '231563', '231564', '231658', '233538', '233542']
nosy_count = 14.0
nosy_names = ['janssen', 'pitrou', 'vstinner', 'giampaolo.rodola', 'christian.heimes', 'donmez', 'Arfrever', 'alex', 'python-dev', 'dstufft', 'Lukasa', 'rkuska', 'martius', 'federico3']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue22638'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5']

[vstinner]

Copy of Donald Stuff email sent to python-dev:

A big security breach of SSL 3.0 just dropped a little while ago (named POODLE).
With this there is now no ability to securely connect via SSL 3.0. I believe
that we should disable SSL 3.0 in Python similarly to how SSL 2.0 is disabled,
where it is disabled by default unless the user has explicitly re-enabled it.

The new attack essentially allows reading the sensitive data from within a SSL
3.0 connection stream. It takes roughly 256 requests to break a single byte so
the attack is very practical. You can read more about the attack here at the
google announcement [1] or the whitepaper [2].

[1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
[2] https://www.openssl.org/~bodo/ssl-poodle.pdf

[alex]

This patch disables SSLv3 by default for Python. Uesrs can get it back by specifiying SSL_PROTOCOLv3 explicitly.

[pitrou]

"""Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks."""

[pitrou]

IOW, I think it may be ok to disable SSLv3 in create_default_context(), but not necessarily in other contexts.

[alex]

create_default_context already disables SSLv3! (Good work everybody :-))

FWIW many vendors are already moving to disable SSLv3, e.g. cloudflare already did.

[dstufft]

I think it's fine to disable it all together. Google is planning/hoping to kill SSL 3.0 completely from their clients in the next couple of months. They just don't want to release a patch that disables SSL 3.0 right today.

[pitrou]

How many times will it have to be repeated that SSL is used for other things than HTTPS-on-the-Web?

[dstufft]

I don't know, how many times will it have to be repeated that secure defaults matter?

SSL 3.0 can be turned back on easily enough, it isn't a hard shut off. It changes the default just like what was done with SSLv2.0.

[pitrou]

The difference is that SSLv2 had been dead for long already. We don't have any statistic about SSLv3 servers in the wild, but I'd be surprised if they had turned entirely negligible.

[alex]

CloudFlare published some statistics: https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/

[dstufft]

There's also https://www.trustworthyinternet.org/ssl-pulse/

[alex]

Debian is also considering this, and link some statistics on IE6 specifically (one of the, if not the single, largest SSLv3 users): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765347

[pitrou]

On the Web, there is indeed a good reaction time to security issues (especially in large providers). That may not be the case for all the other SSL services out there.

Since TLS_FALLBACK_SCSV is the recommended solution (not to mention it will work against other attacks), do you know if it's being implemented in OpenSSL? I would be surprised if nobody did it.

[pitrou]

Note the Debian issue is specifically for Apache, not the OpenSSL package.
If Debian decides to disable SSLv3 in its OpenSSL package, then it will be a pretty good hint that we can do so as well :-)