Configurable SSL cipher suite

[tgurr]

• Gitea version: 1.10.2
• Git version: 2.24.0
• Operating system: Linux
• Database:
  • MySQL
• Can you reproduce the bug at https://try.gitea.io:
  • Not tested / may run behind a reverse proxy so the results could vary

Description

'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

#913 added configurable SSH cipher suite, it would be nice to have the same to configure the SSL cipher suite since currently TLSv1.0 and TLSv1.1 are still accepted which shouldn't be used in 2020 anymore: https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols
and it would also be nice to configure excludes for TLSv1.2 to get rid of the weak ones there as well / provide a way to configure them in general.

[bagasme]

@tgurr and perhaps enforcing TLS v1.2?

[tgurr]

@bagasme no objections from my side, maybe it should just be the default setting then. Just a note and directly related to Gitea, we encountered some problems on Windows 7 / Server 2008 when disabling TLSv1.0 and TLSv1.1 in other software, they're EOL anyways, but there may still be use cases for it.

[clarfonthey]

It may be worthwhile to simplify the configuration options to allow picking between some of Mozilla's recommendations (i.e. Modern, Intermediate, or Old), as shown here: https://wiki.mozilla.org/Security/Server_Side_TLS

Also, adding onto this: this is TLS, not SSL. It seems pedantic but it is important to mention.

[CRCinAU]

Oh good - I managed to find this when looking for the exact same... Currently, I see:

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   h2, http/1.1, acme-tls/1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)
...
 Has server cipher order?     no (NOT ok)
...
 Strict Transport Security    not offered
...
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers
...
BEAST (CVE-2011-3389)                     TLS1: ECDHE-ECDSA-AES256-SHA
                                                 ECDHE-ECDSA-AES128-SHA
                                                 ECDHE-RSA-AES256-SHA
                                                 AES256-SHA
                                                 ECDHE-RSA-AES128-SHA
                                                 AES128-SHA
                                                 ECDHE-RSA-DES-CBC3-SHA
                                                 DES-CBC3-SHA 
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches

It would certainly be good to get this part of things configurable...

[zeripath]

The place to adjust this would likely be in modules/graceful/server.go:97:ListenAndServeTLS

you'd need to add the appropriate settings to modules/settings/setting.go probably add some settings at line 91 and line 580.

[rmbleeker]

Is this actively being worked on? I got back a network scan showing the same results and was asked if I could disable the potentially vulnerable cipher suites. If this is not on the roadmap for a near future Gitea release I might just install a reverse proxy as a work-around.

[eduardok]

Is this actively being worked on? I got back a network scan showing the same results and was asked if I could disable the potentially vulnerable cipher suites. If this is not on the roadmap for a near future Gitea release I might just install a reverse proxy as a work-around.

Edited my comment, you are right, I used the ones for SSH (all good), but it seems HTTPS is still not covered, I see I have a reverse proxy set up to get that cleared.

[CRCinAU]

Running 1.15.x, I see a much more sane config without having to alter the app.ini anywhere:

SSLv2
 - 
SSLv3
 - 
TLSv1
 - 
TLSv1.1
 - 
TLSv1.2 (server order)
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 256   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      
TLSv1.3 (no server order, thus listed by strength)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256    

Looks like at some point it was tightened up a bit...

[zeripath]

Describe the settings, the values it would take and what you expect them to do and it would be relatively easy to implement.

[eduardok]

M_SHA256

I will see if I have time to upgrade my Gitea to latest this Monday/tomorrow, then will make it visible to the scanner and see if it still complains, otherwise I'll let you know what ciphers should be removed.

[rmbleeker]

Running 1.15.x, I see a much more sane config without having to alter the app.ini anywhere:

SSLv2
 - 
SSLv3
 - 
TLSv1
 - 
TLSv1.1
 - 
TLSv1.2 (server order)
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 256   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      
TLSv1.3 (no server order, thus listed by strength)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256    

Looks like at some point it was tightened up a bit...

It's curious that I don't see any 3DES ciphers show up in your overview, while our network scan reports that they are offered by Gitea 1.15.3. Here is the relevant part of the scan report: https://gist.github.com/rmbleeker/13168441a2297e0f10faa39242c072a4

[rmbleeker]

Describe the settings, the values it would take and what you expect them to do and it would be relatively easy to implement.

It would probably be a good idea to implement this in the way Nginx does it for example: http://nginx.org/en/docs/http/ngx_http_ssl_module.html
So the options would then be:

• SSL_PROTOCOLS = TLSv1.2, TLSv1.3
• SSL_CIPHERS = some string that defines the ciphers that are enabled, or disabled if preceded by an exclamation mark

edit: since Gitea works with comma separated lists rather than space separated, modified my comment slightly for consistency with other Gitea options that take a list of values.