New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS ciphers for inputs should probably be configurable #2051

Closed
mikkolehtisalo opened this Issue Apr 11, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@mikkolehtisalo
Contributor

mikkolehtisalo commented Apr 11, 2016

(3)DES and SHA-1 based algorithms seem to be enabled by default for TLS inputs.

# ./cipherscan graylog.local:12205
.............
prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,B-571,570bits
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,B-571,570bits
3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
5     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
6     DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
7     AES128-GCM-SHA256            TLSv1.2                None
8     AES128-SHA256                TLSv1.2                None
9     AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None
10    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
11    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
12    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None

Probably should provide configuration option for the enabled ciphers. Some may want to follow the recommendations of for example suite b, PCI-DSS, or similar.

Also, the lack of AES256 by default is interesting. Caused by lack of Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, when not using OpenJDK.

It is not probably the best idea to change the defaults though, because there are so many clients out there, and some may lack in algorithm support.

@kroepke kroepke added this to the 2.1.0 milestone Apr 18, 2016

@mikkolehtisalo

This comment has been minimized.

Contributor

mikkolehtisalo commented Jun 1, 2016

Couple alternatives:

  • at AbstractTcpTransport with SSLEngine.setEnabledCipherSuites() and SSLEngine.setEnabledProtocols().
  • by modifying jdk.tls.disabledAlgorithms and jdk.tls.legacyAlgorithms from the policy files. This would require just documentation with an example. The idea would be to disable everything but the desired algorithms.

And a question:

  • Should the ciphers and protocols be configurable per input?
@mikkolehtisalo

This comment has been minimized.

Contributor

mikkolehtisalo commented Jun 8, 2016

Imho good enough!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment