Details
Description
When Xenserver is set to TLS1.2 only mode there is a compatibility problem with Firefox 49.0.2 - Error code: SSL_ERROR_NO_CYPHER_OVERLAP
I have made some diagnostics below and suggestion for change. Hopefully I haven't missed some blindingly obvious aspect...
(1) Xenserver TLS1.2 default supported ciphers
----------------------------------------------
Using TestSSLServer4 diagnostics tool (http://www.bolet.org/TestSSLServer/)
C:\Users\Android\Downloads>TestSSLServer4.exe xen1.mydomain.com
Connection: xen1.mydomain.com:443
SNI: xen1.mydomain.com
TLSv1.2:
server selection: uses client preferences
3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA256
=========================================
+++++ SSLv3/TLS: 1 certificate chain(s)
+++ chain: length=2
names match: yes
includes root: yes
signature hash(es): SHA-256
+ certificate order: 0
thumprint: E20D8B1AA3BB4292XXXXXXXX0B2FA53F8062C90E6
serial: 34
subject: CN=xen1.mydomain.com,OU=Custom,O=Custom
issuer: CN=Custom CA,OU=Custom,O=Custom
valid from: 2016-11-01 00:00:00 UTC
valid to: 2017-10-31 23:59:59 UTC
key type: RSA
key size: 2048
sign hash: SHA-256
server names:
xen1.mydomain.com
+ certificate order: 1
thumprint: E4760726FD35D5XXXXXXXXXXA0BD93B156A864F
serial: 01
subject: CN=Custom CA,OU=Custom,O=Custom
issuer: CN=Custom CA,OU=Custom,O=Custom
valid from: 2014-11-01 00:00:00 UTC
valid to: 2024-10-31 23:59:59 UTC
key type: RSA
key size: 2048
sign hash: SHA-256
(self-issued)
=========================================
Server compression support: yes
Server time: 2016-11-04 15:59:22 UTC (offset: -178 ms)
Secure renegotiation support: yes
SSLv2 ClientHello format (for SSLv3+): no
=========================================
WARN[CP001]: Server supports compression.
WARN[CS006]: Server supports cipher suites with no forward secrecy.
(Note that certificate and root CA are signed by myself. I have added my root certificate to xenserver CA store using update-ca-trust etc. I don't believe there are problems here.)
(2) Firefox 49.0.2 supported ciphers
------------------------------------
Using Qualys SSL Labs browser test (https://www.ssllabs.com/ssltest/viewMyClient.html)
Firefox 49.0.2 cipher support
Cipher Suites (in order of preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
(3) Union of Xenserver and Firefox ciphers
------------------------------------------
With an RSA certificate the only ciphers usable with Firefox are,
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
However these are not TLS1.2 compliant. Therefore I believe it necessary to use an EC (eliptic curve) certificate.
(4) Installation of Eliptic Curve certificate
---------------------------------------------
I generated and installed an EC certificate,
X509v3 Basic Constraints : CA:FALSE
X509v3 Key Usage : Digital Signature
X509v3 Extended Key Usage : TLS Web Server Authentication
then temporarily modifying /opt/xensource/linexec/xapissl to GOOD_CIPHERS='ALL'. After restarting Xapi gives the following supported ciphers with Stunnel,
C:\Users\Android\Downloads>TestSSLServer4.exe xen1.mydomain.com
Connection: xen1.mydomain.com:443
SNI: xen1.mydomain.com
TLSv1.2:
server selection: uses client preferences
3fA (key: none) DH_anon_WITH_RC4_128_MD5
2fA (key: none) DH_anon_WITH_DES_CBC_SHA
3fA (key: none) DH_anon_WITH_3DES_EDE_CBC_SHA
3fA (key: none) DH_anon_WITH_AES_128_CBC_SHA
3fA (key: none) DH_anon_WITH_AES_256_CBC_SHA
3fA (key: none) DH_anon_WITH_CAMELLIA_128_CBC_SHA
3fA (key: none) DH_anon_WITH_AES_128_CBC_SHA256
3fA (key: none) DH_anon_WITH_AES_256_CBC_SHA256
3fA (key: none) DH_anon_WITH_CAMELLIA_256_CBC_SHA
3fA (key: none) DH_anon_WITH_SEED_CBC_SHA
3fA (key: none) DH_anon_WITH_AES_128_GCM_SHA256
3fA (key: none) DH_anon_WITH_AES_256_GCM_SHA384
3f- (key: EC) ECDHE_ECDSA_WITH_RC4_128_SHA
3f- (key: EC) ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA
3f- (key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA
3fA (key: none) ECDH_anon_WITH_RC4_128_SHA
3fA (key: none) ECDH_anon_WITH_3DES_EDE_CBC_SHA
3fA (key: none) ECDH_anon_WITH_AES_128_CBC_SHA
3fA (key: none) ECDH_anon_WITH_AES_256_CBC_SHA
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
3f- (key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
3f- (key: EC) ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
=========================================
+++++ SSLv3/TLS: 1 certificate chain(s)
+++ chain: length=2
names match: yes
includes root: yes
signature hash(es): SHA-256
+ certificate order: 0
thumprint: A702D507D256B9XXXXXXXXXX2B7B9373A5DB9095
serial: 3B
subject: CN=xen1.mydomain.com,OU=Custom,O=Custom
issuer: CN=Custom CA,OU=Custom,O=Custom
valid from: 2016-11-01 00:00:00 UTC
valid to: 2017-10-31 23:59:59 UTC
key type: EC
key size: 256
key curve: ansix9p256r1 (P-256)
sign hash: SHA-256
server names:
xen1.mydomain.com
+ certificate order: 1
thumprint: E4760726FD35DXXXXXXXXXX08A0BD93B156A864F
serial: 01
subject: CN=Custom CA,OU=Custom,O=Custom
issuer: CN=Custom CA,OU=Custom,O=Custom
valid from: 2014-11-01 00:00:00 UTC
valid to: 2024-10-31 23:59:59 UTC
key type: RSA
key size: 2048
sign hash: SHA-256
(self-issued)
=========================================
Server compression support: yes
Server time: 2016-11-04 16:25:08 UTC (offset: -267 ms)
Secure renegotiation support: yes
SSLv2 ClientHello format (for SSLv3+): no
Minimum DH size: 2048
DH parameter reuse: yes
Minimum EC size (no extension): 256
Minimum EC size (with extension): 256
ECDH parameter reuse: yes
Supported curves (size and name) ('*' = selected by server):
- 256 secp256r1 (P-256)
=========================================
WARN[CP001]: Server supports compression.
WARN[CS003]: Server supports weak cipher suites (56 bits).
WARN[CS005]: Server supports RC4.
(5) Final Ciphers list
----------------------
Modifying configuration /opt/xensource/linexec/xapissl restricting ciphers to ones with key:EC + AES + CBC gives,
GOOD_CIPHERS='ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384'
Retesting the configured ciphers gives,
C:\Users\Android\Downloads>TestSSLServer4.exe xen1.mydomain.com
Connection: xen1.mydomain.com:443
SNI: xen1.mydomain.com
TLSv1.2:
server selection: uses client preferences
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA
3f- (key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
3f- (key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
=========================================
+++++ SSLv3/TLS: 1 certificate chain(s)
+++ chain: length=2
names match: yes
includes root: yes
signature hash(es): SHA-256
+ certificate order: 0
thumprint: A702D507D256B9XXXXXXXX232B7B9373A5DB9095
serial: 3B
subject: CN=xen1.mydomain.com,OU=Custom,O=Custom
issuer: CN=Custom CA,OU=Custom,O=Custom
valid from: 2016-11-01 00:00:00 UTC
valid to: 2017-10-31 23:59:59 UTC
key type: EC
key size: 256
key curve: ansix9p256r1 (P-256)
sign hash: SHA-256
server names:
xen1.mydomain.com
+ certificate order: 1
thumprint: E4760726FD35D502XXXXXXXXXX0BD93B156A864F
serial: 01
subject: CN=Custom CA,OU=Custom,O=Custom
issuer: CN=Custom CA,OU=Custom,O=Custom
valid from: 2014-11-01 00:00:00 UTC
valid to: 2024-10-31 23:59:59 UTC
key type: RSA
key size: 2048
sign hash: SHA-256
(self-issued)
=========================================
Server compression support: yes
Server time: 2016-11-04 16:34:58 UTC (offset: 23 ms)
Secure renegotiation support: yes
SSLv2 ClientHello format (for SSLv3+): no
Minimum EC size (no extension): 256
Minimum EC size (with extension): 256
ECDH parameter reuse: yes
Supported curves (size and name) ('*' = selected by server):
- 256 secp256r1 (P-256)
=========================================
WARN[CP001]: Server supports compression.
It is also necessary to modify /etc/xapi.conf
ciphersuites-good-outbound = !EXPORT:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384
Testing against Firefox, it now connects.
My suggestion is just one possible way to faciliate TLS1.2 with Firefox, I'm sure there are better ways...
Please consider to modify TLS1.2 configution, if not for 7.0 then for project Ely.
Many thanks
Andrew Peek