Categories
SecOps

How to bypass the OpenSSL security level

How to bypass the OpenSSL security level using curl or openssl utility to access legacy services.

Inspect default OpenSSL security level.

$ openssl version -f
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-51ig8V/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2

Inspect SSL_CTX_set_security_level manual page to learn about OpenSSL security levels.

$ man SSL_CTX_set_security_level
[...]
       Level 0
           Everything is permitted. This retains compatibility with previous versions of OpenSSL.

       Level 1
           The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024
           bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any
           cipher suite using MD5 for the MAC is also prohibited.

       Level 2
           Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.  In addition to the level 1
           exclusions any cipher suite using RC4 is also prohibited. On Ubuntu, TLS versions below 1.2 are not permitted. Compression is disabled.

       Level 3
           Security level set to 128 bits of security. As a result RSA, DSA and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.  In addition to the level 2
           exclusions cipher suites not offering forward secrecy are prohibited. Session tickets are disabled.

       Level 4
           Security level set to 192 bits of security. As a result RSA, DSA and DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are prohibited.  Cipher suites using SHA1 for the
           MAC are prohibited.

       Level 5
           Security level set to 256 bits of security. As a result RSA, DSA and DH keys shorter than 15360 bits and ECC keys shorter than 512 bits are prohibited.
[...]

Inspect ciphers manual page to see ciphers used at specified security level.

$ openssl ciphers -tls1_2 -s -v 'DEFAULT:@SECLEVEL=2'
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

Try to access server that is using too weak security according to used policy.

$ curl https://example.org
curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

You can also get similar errors.

curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Override OpenSSL security level to access service.

$ curl -k https://127.0.0.1:8443  --ciphers DEFAULT@SECLEVEL=1 
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx on Debian!</title>
</head>
<body>
<h1>Welcome to nginx on Debian!</h1>
[...]
</body>
</html>

The same option can be used for OpenSSL s_client and s_server utilities.

$ echo | openssl s_client -connect 127.0.0.1:8443  
CONNECTED(00000003)
[...]
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1667696635
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
$ echo | openssl s_client -connect 127.0.0.1:8443 -cipher DEFAULT@SECLEVEL=1
CONNECTED(00000003)
[...]
---
New, SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: 77623BF5D61B87388529D4A3C50A1C297F7096945E5EEC7D6A288FB17AE7BAAB
    Session-ID-ctx: 
    Master-Key: E8D74D10F27C8DE8F379CE47094CA5E100ECEC8C15A3CB8E4BE08A7D9B3A6422EF27D17B44ECFBF3F4B8CE8D5A51FE70
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 26 5b 79 70 ab 9b 99 b9-e4 0f ca 2f 72 5b 28 4f   &[yp......./r[(O
    0010 - a5 48 8a 17 77 75 39 b4-5f c4 39 a9 b5 98 18 76   .H..wu9._.9....v
    0020 - a8 18 b4 0b f6 b3 0f af-d1 16 6b 6e fd 4d 42 73   ..........kn.MBs
    0030 - a3 97 19 a0 b9 bf 70 a5-09 77 b1 79 1d 1c f8 12   ......p..w.y....
    0040 - 7f 9d 52 94 89 7d 6b 45-0d 1e 91 c1 51 16 c2 92   ..R..}kE....Q...
    0050 - 90 69 77 9c da ef 99 5a-be b4 a2 1f 81 4e ae 97   .iw....Z.....N..
    0060 - 83 ab a9 c0 2f f2 d8 9b-81 d4 ec cd af 21 13 31   ..../........!.1
    0070 - 28 b9 3d e8 95 00 f9 e6-87 6a 16 9f 86 60 dd d1   (.=......j...`..
    0080 - 33 98 6f 60 c3 21 e7 38-85 bf a6 db 84 5f d4 55   3.o`.!.8....._.U
    0090 - 41 ba e1 df c7 27 f0 1b-cf 8f df 08 4f 43 b3 91   A....'......OC..
    00a0 - 23 99 75 41 7c 0c 9f 3b-37 42 3c fe 87 a8 ae 13   #.uA|..;7B<.....

    Start Time: 1667696672
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
DONE