cxconference server enables weak TLS ciphers

[Tom Goddard]

The RBVI cxconference server (cxconference.rbvi.ucsf.edu:443) allows weak RC4 and 3DES ciphers that UCSF IT scanned and will not allow on the UCSF network. The server code bundles/meeting/src/mux.py should be changed to only allow strong ciphers.

I have attached the UCSF IT scan output that details the problem ciphers.

[Tom Goddard]

UCSF IT scan results for cxconference.rbvi.ucsf.edu:443

[Tom Goddard]

I changed the cxconference server source code mux.py to only allow HIGH ciphers. I tested the server on plato scanning it with testssl.sh to confirm that the weak RC4 and 3DES ciphers are no longer offered. Test results are attached for reference.

[Tom Goddard]

Server scan results after fix, using testssl.sh

[Tom Goddard]

Scooter will have to update /usr/local/bin/cxconference on plato.cgl.ucsf.edu which is a copy of mux.py and restart the server.

​https://www.rbvi.ucsf.edu/trac/ChimeraX/browser/src/bundles/meeting/src/mux.py

Greg will need to replace the self-signed certificate used by cxconference with a certificate from UCSF IT. The current self-signed certificate is on plato in /usr/local/etc/cxconference.pem. I do not have read permission on that file, but see that it is different in size from the source code meeting/src/server.pem file.

[Greg Couch]

Scooter will have to replace the cxconference.pem file too. Since there is only one pem file, it has the private key as well as the certificate chain. I would prefer that it were at least two files: one with the private key and one with the certificate chain -- they're created that way, and it's easier to check the expiration date of a publicly readable certificate file.

[Tom Goddard]

I now see that the ChimeraX meeting bundle has two copies of the server-side code, one in bundles/meeting/src/mux.py that I fixed to use strong ciphers and another in bundles/meeting/server-side/cxconf-plato which is older from Feb 20. Both are under Git. I don't know why there are two copies. The mux.py includes several small improvements since Feb 2020 as shown in this diff

$ diff cxconf-plato ../src/mux.py 
53c53,57
<         _ctx_hub = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
---
> #        _ctx_hub = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
>         _ctx_hub = ssl.create_default_context()
>         _ctx_hub.options |= (ssl.OP_NO_TLSv1|ssl.OP_NO_TLSv1_1)
>         _ctx_hub.set_ciphers('HIGH:!aNULL:!eNULL')	# Avoid weak ciphers, ticket #
> #        _ctx_hub.check_hostname = False
185c189
<             except:
---
>             except Exception:
189,191c193,195
<                 if s.startswith("get") or s.startswith("post"):
<                     self._send(b"HTTP/2.0 418 I'm a teapot\n\n")
<                     self.close()
---
>                 if (s.startswith("get") or s.startswith("post") or
>                     s.startswith("head") or s.startswith("put")):
>                     self._send_http_error()
207a212,219
>     def _send_http_error(self):
>         self._send(b"HTTP/1.1 418 I'm a teapot\r\n")
>         self._send(b"Content-Type: text/plain; charset=utf-8\r\n")
>         self._send(b"Connection: close\r\n")
>         self._send(b"\r\n")
>         self._send(b"I'm a teapot\r\n")
>         self.close()
> 
226c238
<             except:
---
>             except Exception:
393c405
<             except:
---
>             except Exception:
536c548
<             except:
---
>             except Exception:
582c594
<             except:
---
>             except Exception:
678c690
<             except:
---
>             except Exception:
$

[Tom Goddard]

Greg will update cxconference server with help from Scooter, discussed at today's group meeting. Fixed TLS cipher code is in meeting/src/mux.py but there is a duplicate copy under git in meeting/server-side/cxconf-plato that is not updated. I don't know why there is a copy of the same code under git, probably should git rm one.

[Greg Couch]

Have you found where the source for /usr/local/bin/cxconference lives?

[Tom Goddard]

The mux.py and cxconf-plato files mentioned in bundles/meeting mentioned in comment 5 are bin/cxconference. They differed by several lines, mux.py being newer. I updated mux.py. I don't know what Conrad had in mind having two copies of the same file under git.

[Greg Couch]

I don't see the meeting/server-side/cxconf-plato directory in git.

I had to modify src/mux.py and set the purpose of the SSL context to get the tests to work and for connections with "openssl s_client" to work.

[goddard@…]

I see cxconf-plato is not in git.  Probably I just copied it from plato 8 months ago and forgot.

[Greg Couch]

Fixed.

Scooter installed src/mux.py as /usr/local/bin/cxconference on all of the plato nodes (since /usr/local/bin is not shared). And he restarted the cluster service. I confirmed, with openssl s_client, that the older protocols are not supported. And that the certificate is valid through "Feb 19 23:59:59 2022 GMT".

[Greg Couch]

Actually, there is one more thing that needs to be done. The certificate chain includes expired certificates.

[Greg Couch]

Removed AddTrust External CA Root cross-signing certificate for ancient browsers and updated USERTrust RSA Certification Authority to one that doesn't expire until January 2038.

Scooter bounced the cxconference service, so now it's fixed.