add ability to set SOAP client protocols and cipher suites
Description
Environment
Activity
Scott Cantor May 13, 2016 at 12:13 AM
f7d7276491585a31135be0c271fb1a0b40afd09b
Added "ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2" to the default files, which results in something close to the "strong" set documented at Mozilla's site (https://mozilla.github.io/server-side-tls/ssl-config-generator/)
Scott Cantor May 12, 2016 at 11:46 PM
49d3c7119632c5ece8f7cdd54bd8e206bc67533f
Added cipherSuites property to config and documentation.
TBD, determine a new explicit default to use.
Scott Cantor May 12, 2016 at 11:42 PM
xmltooling, 38f2394aa03c2258a29020ac3c38411883f6c7fa
Added a method to set the cipher suites.
Added logging of the ciphers available before the connection is completed, and logged the TLS version and cipher used afterward.
The latter requires the new API added in curl 7.48.0. There aren't any hooks to find out the information in earlier versions, the access to the connection I had before is too early since it's during the server cert verification and the handshake isn't done yet.
Scott Cantor May 12, 2016 at 12:56 AM
Interesting, they just added a new informational API in curl 7.48.0 to access the SSL backend's info structure after the connection, so that might get us the post-handshake info we want, maybe more.
Scott Cantor May 12, 2016 at 12:25 AM
The third of those is really only available with the verbose logging of the libcurl handshake, and there's no API to derive it otherwise.
I can certainly log what it's telling libcurl to do, but that won't tell you what ciphers or protocols it supports in the normal case, since the most common cipher suite expression involves negation (what not to use). Again, there's no API to derive that that I'm aware of through curl. I think OpenSSL does, so there might be something I could do with that by just calling around curl into OpenSSL, and assuming that the results would be consistent.
The actual setting of cipher suites is doable with TransportOption. I think it's not worth doing more unless I revise xmltooling for other reasons and then I could add an exposed option for it.
Lastly, the protocol thing: heh. Circle of life:
https://sourceforge.net/p/curl/feature-requests/27/
I tried to get him to support this years ago, but curl still doesn't allow you to turn off protocols, only turn a specific one on. So you can't really do this, and since they pretty much have stopped adding OpenSSL-specific features, I don't think there's much chance of it now.
Given the exposure given to cryptographic issues in the last year, it would be nice for the SP to have the following abilities related to its TLS client as used in back-channel queries:
ability to set the permitted protocols and cipher suites for outbound connections (I thought the latter was already available, but I can't find any documentation for it)
ability to discover the effective permitted protocols and cipher suites the SP's client will use, e.g., by logging
ideally, but probably less importantly, a way of getting the SP's client to log the negotiated protocol and cipher suite when it establishes a connection