WL#12524: TLS for HTTP Component

Affects: Server-8.0   —   Status: Complete   —   Priority: Medium

Motivation

Authentication Methods like Basic and Bearer need an encrypted connection to not expose the security tokens.

Design Requirements

DR1
TLSv1.2 and later are currently considered secure, all older versions are either broken (SSLv3 ...) and considered weak.
DR2
Perfect Forward Security is required

Goal

  • Provide TLS support for the HTTP Component
  • Allow to specify the Certificates at configuration time

Security Requirements

SR1
Pre-TLSv1.2 connections MUST fail with TLS errors.
SR2
Unacceptable cipher MUST NOT be allowed to be negotiated between HTTPS client and HTTPS server.
SR3
Ciphers that allow Perfect Forward Security MUST be enabled by default.
SR4
User MUST be able to replace DH params.
SR5
TLS compression MUST be disabled.
SR6
RSA keys shorter than 2048 bit MUST be denied.
SR7
DH keys shorter than 1024 bit MUST be denied.

Configuration Requirements

CR1
TLS support MUST be configurable per port

Implementation

SSLv3, TLSv1.0 and TLSv1.1

Connections from TLS clients not supporting TLSv1.2 and later MUST fail as those protocols are weak or broken.

TLSv1.2

TLSv1.2 and later are currently considered secure.

Connections from clients supporting TLSv1.3 and TLSv1.2 will negotiate TLSv1.2.

TLSv1.3

If support for TLSv1.3 is available (if linked against openssl 1.1.1 and later) clients supporting TLSv1.3 and TLSv1.2 should negotiate TLSv1.3.

Default Ciphers

If the configuration doesn't overwrite the cipher list, a known good list of ciphers is used:

// TLSv1.2 with PFS using SHA2, encrypted by AES in GCM or CBC mode

    "ECDHE-ECDSA-AES128-GCM-SHA256",
    "ECDHE-ECDSA-AES256-GCM-SHA384",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-ECDSA-AES128-SHA256",
    "ECDHE-RSA-AES128-SHA256"

// TLSv1.2+ with PFS using SHA2, encrypted by AES in GCM or CBC mode

    // TLSv1.3
    "TLS_AES_128_GCM_SHA256",
    "TLS_AES_256_GCM_SHA384",
    "TLS_CHACHA20_POLY1305_SHA256",
    "TLS_AES_128_CCM_SHA256",
    "TLS_AES_128_CCM_8_SHA256",

    // TLSv1.2
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-RSA-AES256-SHA384",
    "ECDHE-ECDSA-AES256-SHA384",
    "DHE-RSA-AES128-GCM-SHA256",
    "DHE-DSS-AES128-GCM-SHA256",
    "DHE-RSA-AES128-SHA256",
    "DHE-DSS-AES128-SHA256",
    "DHE-DSS-AES256-GCM-SHA384",
    "DHE-RSA-AES256-SHA256",
    "DHE-DSS-AES256-SHA256",
    "DHE-RSA-AES256-GCM-SHA384",
    "ECDHE-ECDSA-CHACHA20-POLY1305",
    "ECDHE-RSA-CHACHA20-POLY1305"

// TLSv1.2+ with DH, ECDH, RSA using SHA2
// encrypted by AES in GCM or CBC mode

    "DH-DSS-AES128-GCM-SHA256",
    "ECDH-ECDSA-AES128-GCM-SHA256",
    "DH-DSS-AES256-GCM-SHA384",
    "ECDH-ECDSA-AES256-GCM-SHA384",
    "AES128-GCM-SHA256",
    "AES256-GCM-SHA384",
    "AES128-SHA256",
    "DH-DSS-AES128-SHA256",
    "ECDH-ECDSA-AES128-SHA256",
    "AES256-SHA256",
    "DH-DSS-AES256-SHA256",
    "ECDH-ECDSA-AES256-SHA384",
    "DH-RSA-AES128-GCM-SHA256",
    "ECDH-RSA-AES128-GCM-SHA256",
    "DH-RSA-AES256-GCM-SHA384",
    "ECDH-RSA-AES256-GCM-SHA384",
    "DH-RSA-AES128-SHA256",
    "ECDH-RSA-AES128-SHA256",
    "DH-RSA-AES256-SHA256",
    "ECDH-RSA-AES256-SHA384",

Unacceptable Ciphers

If the user overwrites the cipher list with ssl_cipher any unacceptable ciphers are filtered out (if linked against openssl):

!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:!RC4:!PSK:!SSLv3

Ciphers with PFS

Ciphers with PFS require DH params being setup. Either by providing good defaults or by letting the user specify them at startup.

good defaults

If ssh_dh_params is not set, and the application is linked against openssl 1.1.0-and-later the "2048-bit MODP Group with 256-bit Prime Order Subgroup" from IETF RFC 5114 is used.

If link against an older version of openssl the same 2048-bit DH group that's used by the MySQL Server as default is used.

minimum key length

RSA keys less than 2048 are denied as too weak.

TLS compression

Not support due to possible attacks vectors.

Configuration

Example

[http_server]
port=8443
ssl=1
ssl_cert=cert.pem
ssl_key=key.pem
# ssl_cipher=...
# ssl_dh_param=...

Options

ssl <0|1>
0 == SSL disabled, 1 == SSL enabled
ssl_cert
filename of the cert and its chain-certificates in PEM-format, required if ssl=1
ssl_key
filename of the key in PEM-format, required if ssl=1
ssl_cipher
cipher-spec (see openssl's 'ciphers'). All Default: a long list of approved ciphers. Unknown ciphers are silently ignored. Failure if list of ciphers is empty and ssl=1.
ssl_dh_param
read DH parameter from filename in PEM format. Default: use dh-param from RFC 5114, if ssl=1

Use libevent bufferevent_ssl APIs.