Code Monkey home page Code Monkey logo

Comments (6)

ckreibich avatar ckreibich commented on August 18, 2024 2

Sorry to let this sit for so long. I don't see a reason why we wouldn't just go to at least 1.2 at this point.

from broker.

Neverlord avatar Neverlord commented on August 18, 2024 1

Hmmm... The above change didn't actually stop TLS 1.0 or 1.1 connections.

That change only affects the zeek-to-zeek (binary) connections. I'll look into the WS part.

@timwoj, @ckreibich: do you guys see a reason to make this configurable or can we simply put TLS 1.2 as the minimum (for both native and WebSocket)?

from broker.

MMChrisHinshaw avatar MMChrisHinshaw commented on August 18, 2024

Hmmm... The above change didn't actually stop TLS 1.0 or 1.1 connections. Below is a simplified test (note that ZeekPort is set to 7760 in zeekctl.cfg).

#!/bin/bash

for PROTO in tls1 tls1_1 tls1_2 tls1_3 ; do
    echo "Testing $PROTO"
    openssl s_client -connect 0.0.0.0:7761 -$PROTO 2>/dev/null | grep Protocol
    echo "Result $?"
done

The output shows that TLS 1.0 and 1.1 connections are valid, even with the above code change to broker.

Testing tls1
    Protocol  : TLSv1
Result 0
Testing tls1_1
    Protocol  : TLSv1.1
Result 0
Testing tls1_2
    Protocol  : TLSv1.2
Result 0
Testing tls1_3
Result 1

from broker.

Neverlord avatar Neverlord commented on August 18, 2024

@MMChrisHinshaw your patch actually should affect both binary and WebSocket connections.

This is the output for me locally:

$ bash test.bash
Testing tls1
Result 1
Testing tls1_1
Result 1
Testing tls1_2
    Protocol  : TLSv1.2
Result 0
Testing tls1_3
Result 1

However, it doesn't matter whether I apply your patch or not. Looks like my OpenSSL version reject older protocols by default. What system did you test on?

from broker.

MMChrisHinshaw avatar MMChrisHinshaw commented on August 18, 2024

I want to say this was RHEL8, but am not 100% on that.
What I'm also unsure of is whether the system minimum was set to 1.2.

In either case, it would be great to have a config option in Zeek to be able to control.

from broker.

Neverlord avatar Neverlord commented on August 18, 2024

I've merged the PR, so TLS 1.2 should be enforced as minimum going forward. However, I could not verify this. The CentOS 8 docker image seems to be dead/EOL, so I couldn't use that for validation. CentOS steram 9 and other distros I've tried all set the OpenSSL minimum to 1.2 at the system level, so the patch didn't make a difference.

from broker.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.