LuaSSL : Securing Lua Connections

Securing Lua Connections

home · download · quickstart · references · index

Class Functions

ssl.wrap(key, certificate [, certdir, dhfile, cipherlist, verify_options, options])

This is the most important function for the SSL context to be created with the user preferences. Several default values are already configured so that it's not really needed to know much about each of these options to get your connection secure and running. Although it is highly recommended that you know what your doing.

key : The Private Key file in PEM format for the Application (or the person)

certificate : The Certificate Chain file in PEM format starting with the Certificate for the application and ending with the rootCA certificate. The file may contain more than one certificate.

certidir : The name of a directory containing CA certificates. Each file in the directory must contain only a single CA certificate, and the files must be named by the subject's name hash and an extension of ".0".

dhfile : The file with the Diffie Hellman parameters for ephemeral keying to be used. Ephemeral keying is explained here.

cipherlist : list of ciphers to be used or not to be used in the connections. The patterns for this list are described here. Default: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".

verify_options : The sum of all options you want to set up for your peer verification procedure. The verify options are listed here. Default: SSL_VERIFY_PEER.

options : The sum of all general options you want to set up for your SSL context. The options are listed here. Default: SSL_OP_ALL + SSL_OP_NO_SSLv2

This function returns a ssl object s, which is the object you'll use for all your ssl operations described in the next section

SSL Object Methods

s:accept( )

Waits for an SSL client to attempt connection. It is responsible for the first negotiations with the SSL client. They negotiate which authentication method to use, which cipher and exchange public keys/certificates to proove the authencity of both sides. If Ephemeral keying with Diffie Hellman algorithm is enabled with SSL_OP_SINGLE_DH_USE, all this negotiation is done using ephemeral keying.

s:bind(port)

binds the s to the specified port on the local host. Pay attention to the fact that only SSL servers can be bound to a socket, so do not use this function for connecting.

s:clear( )

Safely closes a broken connection. Broken means that the peer has disconnected without negotiating a shutdown.

s:connect(address, port [, exp_conn] )

Make an attempt to connect to (address, port). Address can be an IP address or a host name. It also performs all the negotiations needed by the SSL connection, and authenticates both the client and the server, exchanging keys and certificates. If Ephemeral keying with Diffie Hellman algorithm is enabled with SSL_OP_SINGLE_DH_USE, all this negotiation is done using ephemeral keying.

The optional parameter exp_conn stands for a post connection verification routine in which you will check the certificate sent by the peer, first of all, if it was really sent (i.e. this only makes sense if you are NOT using SSL_FAIL_IF_NO_PEER_CERTIFICATE). It also checks if the name recorded in the certificate is the same as exp_conn, which means "the peer you were expecting".

s:read( )

The function returns the decoded buffer read from the connection socket. In case of error it returns nil and the error code, which can be 0 for a "connection terminated" or < 0 for any problem that might have occurred.

s:renegotiate( )

SSL renegotiation is essentially an SSL handshake during a connection. This causes client credentials to be reevaluated and a new session to be created. It doesnt check *yet* if the handshake has been succesfully done since it depends on timeout.

s:shutdown( )

Shuts the SSL connection stablished by s down. The shutdown handshake and negotiations are performed by both server and the client, and the local address to which s was bound is made available to other applications. No further operations (except for further calls to close) are allowed on a closed object.

Note: It is important to shutdown all used objects once they are not needed, since, in many systems, each socket uses a file descriptor, which are a limited system resource.

s:write(string)

Writes the string encripted through the socket. The function returns an error code, which is nil in case of success, Or anything less than 0 if any error have occurred.

Attributes

The attributes of LuaSSL are exactly the same of the constants exported by OpenSSL. If you are already familiar with OpenSSL, you can just adapt to Lua way of summing them up.

In OpenSSL one could make the choice of having the peer verified and to fail no certificate were issued by the other part with the following sentence:

    SSL_VERIFY_PEER | SSL_FAIL_IF_NO_PEER_CERT

As in lua these constants became numbers, this summing becomes intuitively:

    ssl.VERIFY_PEER + ssl.FAIL_IF_NO_PEER_CERT

There are two groups of constants which may be added together, they are listed below:

Verify Options:

Default: ssl.VERIFY_PEER
- ssl.VERIFY_NONE
  
  No request for a certificate is sent. Any certificate received will be verified but will not terminate the handshake in a failure.
- ssl.VERIFY_PEER
  
  A request for a certificate will be made but this request may be ignored. If a certificate is sent back it will be verified. If the verification fails, the handshake is terminated immediately.
- ssl.VERIFY_FAIL_IF_NO_PEER_CERT
  
  If SSL_VERIFY_PEER is not set, this flag is ignored. Use of this flag will cause the handshake to terminate immediately if no certificate is provided by the peer.
- ssl.VERIFY_CLIENT_ONCE
  
  If SSL_VERIFY_PEER is not set, this flag is ignored. Use of this flag will prevent the server from requesting a certificate from the client in the case of a renegotiation. A certificate will still be requested during the initial handshake.
General Options:

These options change the behavior of the SSL context. Their main goal is to fix some bugs related to previous versions so they still compatible with the current one. ssl.OP_ALL turns on all the bugs workarounds for compatibility issues, meaning that no bugs (from the listed ones) related to older versions will affect the connection. ssl.OP_NO_SSLv2 as it implies, do not allow connections with version 2 of the secure socket layer for it is insecure to do that since SSLv2 has major bugs, fixed by SSLv3 and TLS. The default will do for almost all cases.

Default: ssl.OP_ALL + ssl.OP_NO_SSLv2
- ssl.OP_MICROSOFT_SESS_ID_BUG
  www.microsoft.com - when talking SSLv2, if session-id reuse is performed, the session-id passed back in the server-finished message is different from the one decided upon.
- ssl.OP_NETSCAPE_CHALLENGE_BUG
  Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte challenge but then appears to only use 16 bytes when generating the encryption keys. Using 16 bytes is ok but it should be ok to use 32. According to the SSLv3 spec, one should use 32 bytes for the challenge when operating in SSLv2/v3 compatibility mode, but as mentioned above, this breaks this server so 16 bytes is the way to go.
- ssl.OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
  ssl3.netscape.com:443, first a connection is established with RC4-MD5. If it is then resumed, we end up using DES-CBC3-SHA. It should be RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
  
  Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. It only really shows up when connecting via SSLv2/v3 then reconnecting via SSLv3. The cipher list changes....
  
  NEW INFORMATION. Try connecting with a cipher list of just DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when doing a re-connect, always takes the first cipher in the cipher list.
- ssl.OP_SSLREF2_REUSE_CERT_TYPE_BUG
- ssl.OP_MICROSOFT_BIG_SSLV3_BUFFER
- ssl.OP_MSIE_SSLV2_RSA_PADDING
- ssl.OP_SSLEAY_080_CLIENT_DH_BUG
- ssl.OP_TLS_D5_BUG
- ssl.OP_TLS_BLOCK_PADDING_BUG
- ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
  Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers, which cannot be handled by some broken SSL implementations. This option has no effect for connections using other ciphers.
- ssl.OP_ALL
  All of the above bug workarounds.
  
  It is usually safe to use SSL_OP_ALL to enable the bug workaround options if compatibility with somewhat broken implementations is desired.
  
  The following modifying options are available:
- ssl.OP_TLS_ROLLBACK_BUG
  Disable version rollback attack detection.
  
  During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as during the first hello. Some clients violate this rule by adapting to the server's answer. (Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.)
- ssl.OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  When performing renegotiation as a server, always start a new session (i.e., session resumption requests are only accepted in the initial handshake). This option is not needed for clients.
- ssl.OP_SINGLE_DH_USE
  Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using ``strong'' primes (e.g. when using DSA-parameters). If ``strong'' primes were used, it is not strictly necessary to generate a new DH key during each handshake but it is also recommended. SSL_OP_SINGLE_DH_USE should therefore be enabled whenever temporary/ephemeral DH parameters are used.
- ssl.OP_EPHEMERAL_RSA
  Always use ephemeral (temporary) RSA key when doing RSA operations According to the specifications this is only done, when a RSA key can only be used for signature operations (namely under export ciphers with restricted RSA keylength). By setting this option, ephemeral RSA keys are always used. This option breaks compatibility with the SSL/TLS specifications and may lead to interoperability problems with clients and should therefore never be used. Ciphers with EDH (ephemeral Diffie-Hellman) key exchange should be used instead.
- ssl.OP_CIPHER_SERVER_PREFERENCE
  When choosing a cipher, use the server's preferences instead of the client preferences. When not set, the SSL server will always follow the clients preferences. When set, the SSLv3/TLSv1 server will choose following its own preferences. Because of the different protocol, for SSLv2 the server will send his list of preferences to the client and the client chooses.
- ssl.OP_NO_SSLv2
  Do not use the SSLv2 protocol.
- ssl.OP_NO_SSLv3
  Do not use the SSLv3 protocol.
- ssl.OP_NO_TLSv1
  Do not use the TLSv1 protocol.
- ssl.OP_PKCS1_CHECK_1
- ssl.OP_PKCS1_CHECK_2
- ssl.OP_NETSCAPE_CA_DN_BUG
  If we accept a netscape connection, demand a client cert, have a non-self-signed CA which does not have its CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
- ssl.OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

Cipher Listing

The list of ciphers to be used by the application may be optionally determined in Lua. Since the default cipher list is both careful and complete, you may never need to specify a cipher list yourself, but if your are working with some specificity, you'll have to tell the SSL context which ciphers to use.

For instance "ALL" is a shortcut for every available combination. Additionally, we can precede a keyword with the "!" operator to remove all ciphers associated with the keyword. Using this we will create a string to define our custom cipher list. There are other operators such as "+" or "-", but they are not essential for specifying a secure list. For applications that need a custom definition, the ciphers manpage of the OpenSSL is a good reference on string formation.

A brief description of the keywords follows here:

DEFAULT: the default cipher list is "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".

ALL: all ciphers suites except the eNULL ciphers which must be explicitly enabled.

HIGH: "high" encryption cipher suites. This currently means those with key lengths larger than 128 bits.

MEDIUM: "medium" encryption cipher suites, currently those using 128 bit encryption.

LOW: "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.

EXP, EXPORT: export encryption algorithms. Including 40 and 56 bits algorithms.

EXPORT40: 40 bit export encryption algorithms

EXPORT56: 56 bit export encryption algorithms.

eNULL, NULL: the "NULL" ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.

aNULL: the cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.

kRSA, RSA: cipher suites using RSA key exchange.

kEDH: cipher suites using ephemeral DH key agreement.

kDHr, kDHd: cipher suites using DH key agreement and DH certificates signed by CAs with RSA and DSS keys respectively. Not implemented.

aRSA: cipher suites using RSA authentication, i.e. the certificates carry RSA keys.

aDSS, DSS: cipher suites using DSS authentication, i.e. the certificates carry DSS keys.

TLSv1, SSLv3, SSLv2: TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.

DH: cipher suites using DH, including anonymous DH.

ADH: anonymous DH cipher suites.

AES: cipher suites using AES.

3DES: cipher suites using triple DES.

DES: cipher suites using DES (not triple DES).

RC4: cipher suites using RC4.

RC2: cipher suites using RC2.

IDEA: cipher suites using IDEA.

MD5: cipher suites using MD5.

SHA1, SHA: cipher suites using SHA1.

Ephemeral Keying

As usually in SSL connections we shall use the RSA algorithm as it has the capabilities of doing most signing and encrypting. SSL can use it to perform the key agreement necessary to create the shared key under which the data in the stream is encrypted. This technique, such as when the key exchange is conducted through a persistent key is called static keying. Building on this definition, ephemeral keying is defined as key exchange through a temporary key. At first, it may seem that temporary keys may not allow for proper authentication -- not true. Generaly, with ephemeral keying, the authentication is accomplished through signature verification with persistent keys, and the temporary keys are used only for key agreement. There are two main advantages of ephemeral keying over static keying from a security perspective.

Consider the case the certificates are based upon DSA keys. The DSA algorithm provides a mechanism for signing but not for encrypting. Thus, having only DSA keys on either side of an SSL connection leaves the protocol unable to perform key exchange. It follows that static keying is not even an option for DSA-based certificates; we must supplement them with ephemeral keys.

The second advantage is that they provide forward secrecy. At a high level , forward secrecy means that if the private key is obtained by a third party, that third party will not be able to decode previous sessions conducted with that key or even future sessions conducted by someone else with the compromised key.

These two points make the benefits of using ephemeral keying clear. In terms of SSL, using ephemeral keys essentially mandates that the keys embedded in the certificates shall be used only for signatures and not for encryption. There are two methods for key exchange in OpenSSL: temporary RSA keys or Diffie-Hellman (DH) key agreement. Of these two choices, DH is better because temporary RSA keys violate the SSL/TLS protocols. The RSA keying was originally implemented to make sure export restrictions on cryptography were not violated. Today this issue is not a primary concert; thus, ephemeral RSA keys tend not to be used. Additionally, generation of these temporary RSA keys is much slower than using DH, presuming the DH parameters are pre-generated.