Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid usage of legacy algorithms on libssl-3.0+ #53

Merged
merged 3 commits into from
Jun 6, 2024
Merged

Avoid usage of legacy algorithms on libssl-3.0+ #53

merged 3 commits into from
Jun 6, 2024

Conversation

larskanis
Copy link
Contributor

Single DES and MD4 are considered legacy algorithms in OpenSSL/libssl-3.0. They can be enabled by adjusting the openssl configuration file or by using the new provider concept of OpenSSL-3. Editing the configuration must be done by each user of rubyntlm, which is very inconvenient. The provider API is not yet supported by the ruby binding to OpenSSL.

So it's better to avoid the legacy algorithms at all.

The single DES algorithm can easily implemented by a two key 3-DES run.
The md4 implementation is taken from here:
https://gist.github.com/tprynn/5419da1a2ad8935c1fff
And the rc4 implementation is taken from here and modified:
https://github.com/caiges/Ruby-RC4/blob/082fce56ab707dc77442709357cf176f7b3b6f22/lib/rc4.rb

Fixes #49

@larskanis
Avoid usage of legacy algorithms on libssl-3.0+
f666786 
Single DES and MD4 are considered legacy algorithms in OpenSSL/libssl-3.0.
They can be enabled by adjusting the openssl configuration file or by using the new provider concept of OpenSSL-3.
Editing the configuration must be done by each use of rubyntlm, which is very inconvenient.
The provider API is not yet supported by the ruby binding to OpenSSL.

So it's better to avoid the legacy algorithms at all.
The single DES algorithm can easily implemented by a two key 3-DES run.
The md4 implementation is taken from here:
  https://gist.github.com/tprynn/5419da1a2ad8935c1fff
And the rc4 implementation is taken from here and modified:
  https://github.com/caiges/Ruby-RC4/blob/082fce56ab707dc77442709357cf176f7b3b6f22/lib/rc4.rb

Fixes WinRb#49
@larskanis
Add CI run on OpenSSL-3.0
c56f474 
... which is the default on ubuntu-22.04.
OpenSSL-3.0 has some limitations regarding outdated algorithms.
@larskanis
Copy link
Contributor Author

A CI run on Ubuntu-22.04 without this patch fails like so: https://github.com/larskanis/rubyntlm/runs/7068752401?check_suite_focus=true
With this patch all is green: https://github.com/larskanis/rubyntlm/actions/runs/2567751689

adfoster-r7 added a commit to adfoster-r7/rubyntlm that referenced this pull request Jul 20, 2022
@adfoster-r7
Apply WinRb#53
1fe8c6f
@adfoster-r7 adfoster-r7 mentioned this pull request Jul 21, 2022
Merged
@larskanis larskanis mentioned this pull request Nov 2, 2022
Closed
@larskanis
Copy link
Contributor Author

@mwrock Gentle ping... Any chance to get this into a new release?

@larskanis
Copy link
Contributor Author

Background is that I maintain https://github.com/larskanis/pg-ldap-sync/ which can use NTLM authentication through the rubyntlm gem. And pg-ldap-sync is used by people with no Ruby knowledge at all, so they just use apt install ruby and gem install and run the command. It is therefore not suitable to make use of a Gemfile and bunder for them to overcome compatibility issues with modern OpenSSL.

@donoghuc
Copy link

donoghuc commented Mar 2, 2023

Thanks for this patch. Do you know if there is a way to force the client to always use NTLM v2 (which I think would at least stop using the MD4 algorithm?) I looked a bit but I dont see anything obvious.

@larskanis
Copy link
Contributor Author

@donoghuc Sorry no, I don't know much about the NTLM internals.

@donoghuc
Copy link

donoghuc commented Mar 3, 2023

Thanks I will let you know what solution we (over at puppet puppetlabs/bolt#3191 ) come up with. Cheers.

@eglitobias
Copy link

We also have exactly the same issue. It would be very nice if we can find a solution here soon.

@adfoster-r7 adfoster-r7 mentioned this pull request Jul 24, 2023
Open
@igoshevski
Copy link

+1

@pcai pcai merged commit bf52040 into WinRb:master Jun 6, 2024
12 checks passed
@pcai
Copy link
Contributor

pcai commented Jun 6, 2024

thank you!

@pcai pcai mentioned this pull request Jun 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ciphers unsupported by default provider in OpenSSL 3
5 participants
@larskanis @donoghuc @eglitobias @igoshevski @pcai