2

I've been trying to do a demo of the CRIME attack, which requires both a browser and server with SSL compression enabled. I've procured such a browser, and I've set up an nginx HTTPS server on localhost with options that I thought would enable compression (DEFLATE).

Here is my nginx.conf:

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    # victim's bank server - HTTPS
    server {
        listen       443 ssl;
        #listen       81; # used to observe GET requests
        server_name  www.thebank.com thebank.com;
        ssl_certificate path/to/bank.crt;
        ssl_certificate_key path/to/bank.key;
        ssl_protocols SSLv2 SSLv3 TLSv1; #TLSv1.1 TLSv1.2;

        gzip         on;
        #gzip_types   *;
        #gzip_min_length 0;
        #gzip_comp_level 9;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   path/to/bank;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # evil server
    server {
        listen       80;
        server_name  evil.com www.evil.com;

        location / {
            root   path/to/evil;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }
# ...
    include servers/*;
}

(Disclaimer: I've never worked much with nginx so I apologize if this violates some conventions, I basically just copied the provided conf file and modified it as necessary. That's why there's a lot of extra comments.)

It's been hard to find information on enabling something insecure, but I thought the gzip on; line enabled SSL compression. Yet when I listen in on the loopback traffic with Wireshark, I see DEFLATE listed as a compression method in the client hello but only null in the server hello's compression methods.

I've been using an old version of nginx (1.1.6) and OpenSSL (0.9.8zb) in the hopes that this would work. Also tried nginx 1.0.6, but still no luck.

Can anyone help me out? I feel like I've tried everything.

Edit: Even with OpenSSL 0.9.7 and nginx 1.0.6 the Server Hello still shows no compression methods.

Edit: At @Steffen Ullrich's request, and to provide more detail on the compilations of OpenSSL and nginx, here is output from my latest attempt:

# install OpenSSL from source in /path/to/Downloads
wget https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zb.tar.gz
tar xvf openssl-0.9.8zb.tar.gz
cd openssl-0.9.8zb
./config zlib
make
sudo make install

# check for zlib support
openssl version -a
# OpenSSL 0.9.8zb 6 Aug 2014
# built on: Fri Sep 27 01:59:42 EDT 2019
# platform: linux-x86_64
# options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int) idea(int) blowfish(idx) 
# compiler: gcc -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
# OPENSSLDIR: "/usr/local/ssl"

# install nginx 1.0.6 from source with custom OpenSSL source
wget http://nginx.org/download/nginx-1.0.6.tar.gz
tar xvfz nginx-1.0.6.tar.gz
cd nginx-1.0.6
./configure --with-http_ssl_module --without-http_rewrite_module --with-openssl=/path/to/Downloads/openssl-0.9.8zb
sudo make
sudo make install

# check for zlib support
openssl version -a
# OpenSSL 0.9.8zb 6 Aug 2014
# built on: Fri Sep 27 02:57:12 EDT 2019
# platform: linux-x86_64
# options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int) idea(int) blowfish(idx) 
# compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
# OPENSSLDIR: "/path/to/Downloads/openssl-0.9.8zb/.openssl/ssl"
nglaeser
  • 21
  • 4
  • I suppose you need OpenSSL in an even lower version, [as the nginx web-server was not vulnerable to CRIME since 1.0.9/1.1.6 (October/November 2011) using OpenSSL 1.0.0+, and since 1.2.2/1.3.2 (June / July 2012) using all versions of OpenSSL.](https://en.wikipedia.org/wiki/CRIME#cite_note-10). Other than that, I think using `gzip on` should be enough. – Lenniey Sep 26 '19 at 15:40
  • I also tried using nginx 1.0.6, shouldn't that have worked? – nglaeser Sep 26 '19 at 15:51
  • @Lenniey: *"Other than that, I think using gzip on should be enough."* - CRIME is about TLS level compression, not HTTP level compression (that would be the BREACH attack instead). There is no gzip for TLS level compression. – Steffen Ullrich Sep 26 '19 at 15:51
  • Okay, that's what I wasn't sure about. I *am* trying to enable TLS-level compression, but I don't know what the command is for that. (I was under the impression, however, that TLS-level compression is also gzip.) – nglaeser Sep 26 '19 at 15:55
  • @N.G.: There is no command in nginx to enable TLS level compression. You have to use a version of OpenSSL old enough so that it has TLS compression enabled by default. – Steffen Ullrich Sep 26 '19 at 16:01

1 Answers1

0

According to this information you need an old nginx and and old OpenSSL - much older than the one you've used:

The CRIME attack uses SSL Compression to do its magic. SSL compression is turned off by default in nginx 1.1.6+/1.0.9+ (if OpenSSL 1.0.0+ used) and nginx 1.3.2+/1.2.2+ (if older versions of OpenSSL are used).

Thus, using nginx 1.1.5 or nginx 1.0.8 should work but only if you also use OpenSSL 0.9.8. Newer versions of OpenSSL has TLS compression disabled by default. Note that there is no support for TLS 1.1 or TLS 1.2 with this old version of OpenSSL.

Steffen Ullrich
  • 12,227
  • 24
  • 37
  • Still doesn't work, even with all of the following combinations: nginx 1.0.6 and OpenSSL 0.9.8zh, nginx 1.1.6 and OpenSSL 0.9.8zh, nginx 1.0.6 and OpenSSL 0.9.7. – nglaeser Sep 26 '19 at 22:20
  • @nglaeser: could you please provide the output of `openssl version -a` and `ldd openssl` for this openssl version to make sure that there is actually support for compression (which requires zlib) is built in? – Steffen Ullrich Sep 27 '19 at 04:24
  • OpenSSL, when initially installed, does have the compression support, but once nginx is configured and installed from source, OpenSSL has different flags (I assume it is recompiled from source by nginx without zlib compression): https://pastebin.com/AnN7VQaj. So: (1) Is it possible to tell nginx where to find the installation without using the `--with-openssl=...` `./configure` option, which recompiles OpenSSL in this undesirable way? (2) Alternatively, can I pass something to nginx `./configure` that specifies OpenSSL should be compiled with zlib? Thank you very much! – nglaeser Sep 27 '19 at 07:32
  • @nglaeser: try `-with-ld-opt="-L $YOURSSL/lib -lssl -lcrypto -lz ...` and don't use `--with-openssl`. See also https://marcelog.github.io/articles/nginx_compile_with_external_openssl.html – Steffen Ullrich Sep 27 '19 at 07:38
  • you mean like this? `sudo ./configure --with-http_ssl_module --without-http_rewrite_module --with-ld-opt="-L /usr/local/ssl/lib -lssl -lcrypto -lz"`? That still returns `error: SSL modules require the OpenSSL library.` :( – nglaeser Sep 27 '19 at 18:38
  • Update: `sudo ./configure --with-http_ssl_module --without-http_rewrite_module --with-ld-opt="-L /home/noemi/Downloads/openssl-0.9.8zb -lssl -lcrypto -lz -ldl -static-libgcc"` worked, and `openssl version -a` still has the `-DZLIB` flag. But the Server Hello packet still advertises no compression methods. – nglaeser Sep 27 '19 at 18:56
  • @nglaeser: and ldd on the nginx binary shows that it is linked against this openssl and against zlib? – Steffen Ullrich Sep 27 '19 at 19:23
  • Ah, seems not... https://pastebin.com/wW7WLGL1 – nglaeser Sep 27 '19 at 20:46
  • @nglaeser: you might need to explicitly add the library path using `-rpath` option in the ld opt so that it looks for the library in the right place. Or you might try to set LD_LIBRARY_PATH accordingly before starting nginx – Steffen Ullrich Sep 27 '19 at 20:57
  • `sudo ./configure --with-http_ssl_module --without-http_rewrite_module --with-ld-opt="-L /path/to/Downloads/openssl-0.9.8zb -Wl,-rpath,/path/to/Downloads/openssl-0.9.8zb -lssl -lcrypto -lz -ldl -static-libgcc"` has no effecd on the output of `ldd`, contrary to what I see here: https://forum.nginx.org/read.php?2,275441,275447#msg-275447. Same with running `export LD_LIBRARY_PATH="/path/to/Downloads/openssl-0.9.8zb"` before `make` and `make install` of nginx. – nglaeser Sep 27 '19 at 22:00