New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update infrastructure deployment to solve: Insecure ciphers are accepted by https://leastauthority.com #92

Closed
daira opened this Issue Aug 15, 2013 · 55 comments

Comments

Projects
None yet
9 participants
@daira
Contributor

daira commented Aug 15, 2013

The default cipher list allows single-DES.

@ghost ghost assigned daira Aug 15, 2013

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Aug 15, 2013

Contributor

I can modify the list (see the https://github.com/LeastAuthority/leastauthority.com/commits/92-improve-cipher-list branch), but I'm still having trouble finding a list that will make the SSLlabs checker (or more importantly, me), happy. Part of the problem is that we're not setting the SSL_OP_CIPHER_SERVER_PREFERENCE flag, so the server is not enforcing that GCM and/or forward-secrecy ciphersuites are used where possible.

GCM is: https://en.wikipedia.org/wiki/Galois/Counter_Mode

Contributor

daira commented Aug 15, 2013

I can modify the list (see the https://github.com/LeastAuthority/leastauthority.com/commits/92-improve-cipher-list branch), but I'm still having trouble finding a list that will make the SSLlabs checker (or more importantly, me), happy. Part of the problem is that we're not setting the SSL_OP_CIPHER_SERVER_PREFERENCE flag, so the server is not enforcing that GCM and/or forward-secrecy ciphersuites are used where possible.

GCM is: https://en.wikipedia.org/wiki/Galois/Counter_Mode

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Aug 15, 2013

Contributor

BTW, note that the SSLlabs checker gives wrong results if you change the config and re-test the website without clicking "Clear cache".

SSLlabs is: https://www.ssllabs.com/ssltest/analyze.html?d=leastauthority.com

Contributor

daira commented Aug 15, 2013

BTW, note that the SSLlabs checker gives wrong results if you change the config and re-test the website without clicking "Clear cache".

SSLlabs is: https://www.ssllabs.com/ssltest/analyze.html?d=leastauthority.com

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom

zookoatleastauthoritycom Aug 15, 2013

Member

I like these results:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

This is from nginx with this config:

ssl_session_cache shared:SSL:100m;
ssl_session_timeout 10000m;

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=100000;

server {
server_name zooko.com;

ssl_certificate_key /etc/ssl/private/zooko.com.key;
ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA;

listen 443 default ssl;

rewrite ^ https://LeastAuthority.com redirect;
}

Member

zookoatleastauthoritycom commented Aug 15, 2013

I like these results:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

This is from nginx with this config:

ssl_session_cache shared:SSL:100m;
ssl_session_timeout 10000m;

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=100000;

server {
server_name zooko.com;

ssl_certificate_key /etc/ssl/private/zooko.com.key;
ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA;

listen 443 default ssl;

rewrite ^ https://LeastAuthority.com redirect;
}

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Aug 15, 2013

Contributor

For some reason the Twisted server is not offering DHE ciphersuites even though I include them in the list. I'll try adding ECDHE_RSA, but I'm not hopeful that it won't have the same problem. Also IE8 on XP spoils everything by being unmitigated crap :-p

Contributor

daira commented Aug 15, 2013

For some reason the Twisted server is not offering DHE ciphersuites even though I include them in the list. I'll try adding ECDHE_RSA, but I'm not hopeful that it won't have the same problem. Also IE8 on XP spoils everything by being unmitigated crap :-p

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Aug 15, 2013

Contributor

Oh, pyOpenSSL does expose SSL_CTX_set_options, so we should be able to set SSL_OP_CIPHER_SERVER_PREFERENCE.

Contributor

daira commented Aug 15, 2013

Oh, pyOpenSSL does expose SSL_CTX_set_options, so we should be able to set SSL_OP_CIPHER_SERVER_PREFERENCE.

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zooko

This comment has been minimized.

Show comment
Hide comment
@zooko

zooko Aug 15, 2013

Contributor

I found http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx which says that IE 8 on Windows XP could do TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA . I updated zooko.com's nginx config to add EDH-DSS-DES-CBC3-SHA at the end of its list, but ssllabs.com's simulated IE8-WinXP client did not use it. Then I added "DES-CBC3-SHA", and ssllabs.com's simulated IE8-WinXP client went from:

"""
IE 8 / XP No FS * Fail**

  • Browsers that do not support Forward Secrecy are excluded when determining support for it.
    ** Only first connection attempt simulated. Browsers are likely to retry with a lower protocol version or other tweaks.
    """

To:

"""
IE 8 / XP No FS * TLS 1.0 SSL_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
"""

Therefore, my new nginx/openssl config is:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA;

Contributor

zooko commented Aug 15, 2013

I found http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx which says that IE 8 on Windows XP could do TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA . I updated zooko.com's nginx config to add EDH-DSS-DES-CBC3-SHA at the end of its list, but ssllabs.com's simulated IE8-WinXP client did not use it. Then I added "DES-CBC3-SHA", and ssllabs.com's simulated IE8-WinXP client went from:

"""
IE 8 / XP No FS * Fail**

  • Browsers that do not support Forward Secrecy are excluded when determining support for it.
    ** Only first connection attempt simulated. Browsers are likely to retry with a lower protocol version or other tweaks.
    """

To:

"""
IE 8 / XP No FS * TLS 1.0 SSL_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
"""

Therefore, my new nginx/openssl config is:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA;

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Aug 16, 2013

Contributor

No-one uses EDH, those suites can safely be ignored.

Contributor

daira commented Aug 16, 2013

No-one uses EDH, those suites can safely be ignored.

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Aug 16, 2013

Contributor

I did get SSL_OP_CIPHER_SERVER_PREFERENCE working on phi, but at the point I left off to do my visa preparation, we weren't successfully offering any DHE or ECDHE ciphersuites because (I think) the [EC]DH parameters had not been loaded.

Contributor

daira commented Aug 16, 2013

I did get SSL_OP_CIPHER_SERVER_PREFERENCE working on phi, but at the point I left off to do my visa preparation, we weren't successfully offering any DHE or ECDHE ciphersuites because (I think) the [EC]DH parameters had not been loaded.

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom

zookoatleastauthoritycom Oct 14, 2013

Member

Per Daira's comment about EDH, I removed "EDH-DSS-DES-CBC3-SHA", leaving me with:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA;

ssllabs's test (which they've been updating, so it will give different answers today than it would have given at the beginning of this issue), currently says this about my config (at zooko.com):

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where used)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128

Handshake Simulation
Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128

  • Browsers that do not support Forward Secrecy are excluded when determining support for it.
    ** Only first connection attempt simulated. Browsers are likely to retry with a lower protocol version or other tweaks.

Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initated Renegotiation No
BEAST attack Not mitigated server-side (more info) TLS 1.0: 0xc013
TLS compression No
RC4 No
Forward Secrecy Yes (with most browsers) ROBUST (more info)
Next Protocol Negotiation Yes http/1.1
Session resumption Yes
Session tickets Yes
OCSP stapling No
Strict Transport Security Yes max-age=100000
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes

Member

zookoatleastauthoritycom commented Oct 14, 2013

Per Daira's comment about EDH, I removed "EDH-DSS-DES-CBC3-SHA", leaving me with:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA;

ssllabs's test (which they've been updating, so it will give different answers today than it would have given at the beginning of this issue), currently says this about my config (at zooko.com):

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where used)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128

Handshake Simulation
Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128

  • Browsers that do not support Forward Secrecy are excluded when determining support for it.
    ** Only first connection attempt simulated. Browsers are likely to retry with a lower protocol version or other tweaks.

Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initated Renegotiation No
BEAST attack Not mitigated server-side (more info) TLS 1.0: 0xc013
TLS compression No
RC4 No
Forward Secrecy Yes (with most browsers) ROBUST (more info)
Next Protocol Negotiation Yes http/1.1
Session resumption Yes
Session tickets Yes
OCSP stapling No
Strict Transport Security Yes max-age=100000
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes

@zancas

This comment has been minimized.

Show comment
Hide comment
@zancas

zancas Oct 15, 2013

Contributor

Have you committed this change to a branch? If so which? I've been
linking all of my commits to deliverables in my standup log.

On Mon, Oct 14, 2013 at 4:01 PM, zookoatleastauthoritycom <
notifications@github.com> wrote:

Per Daira's comment about EDH, I removed "EDH-DSS-DES-CBC3-SHA", leaving
me with:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA;

ssllabs's test (which they've been updating, so it will give different
answers today than it would have given at the beginning of this issue),
currently says this about my config (at zooko.com):

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites
where used)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits
RSA) FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128

Handshake Simulation
Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS
128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS
128

IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS
128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS
128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(0xc027) FS 128

  • Browsers that do not support Forward Secrecy are excluded when
    determining support for it. ** Only first connection attempt simulated.
    Browsers are likely to retry with a lower protocol version or other tweaks.

Protocol Details
Secure Renegotiation Supported

Secure Client-Initiated Renegotiation No

Insecure Client-Initated Renegotiation No

BEAST attack Not mitigated server-side (more info) TLS 1.0: 0xc013
TLS compression No

RC4 No

Forward Secrecy Yes (with most browsers) ROBUST (more info)

Next Protocol Negotiation Yes http/1.1
Session resumption Yes
Session tickets Yes
OCSP stapling No

Strict Transport Security Yes max-age=100000

Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes


Reply to this email directly or view it on GitHubhttps://github.com/LeastAuthority/leastauthority.com/issues/92#issuecomment-26292572
.

-- ظ

Contributor

zancas commented Oct 15, 2013

Have you committed this change to a branch? If so which? I've been
linking all of my commits to deliverables in my standup log.

On Mon, Oct 14, 2013 at 4:01 PM, zookoatleastauthoritycom <
notifications@github.com> wrote:

Per Daira's comment about EDH, I removed "EDH-DSS-DES-CBC3-SHA", leaving
me with:

ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
ssl_certificate /etc/ssl/my-certs/zooko.com.cer;
ssl_ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA;

ssllabs's test (which they've been updating, so it will give different
answers today than it would have given at the beginning of this issue),
currently says this about my config (at zooko.com):

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites
where used)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits
RSA) FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys:
128) FS 128

Handshake Simulation
Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS
128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS
128

IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS
128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS
128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(0xc027) FS 128

  • Browsers that do not support Forward Secrecy are excluded when
    determining support for it. ** Only first connection attempt simulated.
    Browsers are likely to retry with a lower protocol version or other tweaks.

Protocol Details
Secure Renegotiation Supported

Secure Client-Initiated Renegotiation No

Insecure Client-Initated Renegotiation No

BEAST attack Not mitigated server-side (more info) TLS 1.0: 0xc013
TLS compression No

RC4 No

Forward Secrecy Yes (with most browsers) ROBUST (more info)

Next Protocol Negotiation Yes http/1.1
Session resumption Yes
Session tickets Yes
OCSP stapling No

Strict Transport Security Yes max-age=100000

Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes


Reply to this email directly or view it on GitHubhttps://github.com/LeastAuthority/leastauthority.com/issues/92#issuecomment-26292572
.

-- ظ

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom

zookoatleastauthoritycom Oct 15, 2013

Member

That's a change to the configuration of the web server running on zooko.com.

Member

zookoatleastauthoritycom commented Oct 15, 2013

That's a change to the configuration of the web server running on zooko.com.

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom

zookoatleastauthoritycom Oct 15, 2013

Member

lvh posted on https://twistedmatrix.com/trac/ticket/6663#comment:31 about ciphers suggested by Mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS

I tried the config they suggested and asked https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com what would be the result with a bunch of simulated clients.

With my config (ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA), ssllabs said:

Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128

With Mozilla's config, ssllabs said the same thing, except with this diff:

-IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
+IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS 128

So the only practical difference known to ssllabs's simulator is that withg Mozilla's config, IE 8 / XP would choose RC4 instead of 3DES. This seems like a really bad idea to me. As far as I know 3DES is very strong, and is, along with AES, one of the two best-studied ciphers in all of human history. In contrast, RC4 is weak, and recent discoveries have shown it to be even weaker (as it is used in TLS) than earlier believed.

Seems like a pretty bad choice for Mozilla to recommend it over 3DES…

Member

zookoatleastauthoritycom commented Oct 15, 2013

lvh posted on https://twistedmatrix.com/trac/ticket/6663#comment:31 about ciphers suggested by Mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS

I tried the config they suggested and asked https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com what would be the result with a bunch of simulated clients.

With my config (ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA), ssllabs said:

Chrome 30 / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Firefox 10.0.12 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 17.0.7 ESR / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Firefox 21 / Fedora 19 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Firefox 24 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 6 / XP No FS * Fail**
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
IE 8-10 / Win 7 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
IE 11 / Win 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Java 6u45 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
OpenSSL 1.0.1e TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Opera 12.15 / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Opera 16 / Win 7 TLS 1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 6 / iOS 6.0.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Safari 7 / OS X 10.9 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128

With Mozilla's config, ssllabs said the same thing, except with this diff:

-IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168
+IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS 128

So the only practical difference known to ssllabs's simulator is that withg Mozilla's config, IE 8 / XP would choose RC4 instead of 3DES. This seems like a really bad idea to me. As far as I know 3DES is very strong, and is, along with AES, one of the two best-studied ciphers in all of human history. In contrast, RC4 is weak, and recent discoveries have shown it to be even weaker (as it is used in TLS) than earlier believed.

Seems like a pretty bad choice for Mozilla to recommend it over 3DES…

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom
Member

zookoatleastauthoritycom commented Oct 15, 2013

opened a bug report for mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=927045

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Oct 17, 2013

Contributor

Does IE 8 / XP do client-side mitigation of BEAST?

Contributor

daira commented Oct 17, 2013

Does IE 8 / XP do client-side mitigation of BEAST?

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Oct 17, 2013

Contributor

Does IE 8 / XP do client-side mitigation of BEAST?

No, because 1/n-1 record splitting (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c59) was only proposed in August 2011. IE8 was released in 2009.

Contributor

daira commented Oct 17, 2013

Does IE 8 / XP do client-side mitigation of BEAST?

No, because 1/n-1 record splitting (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c59) was only proposed in August 2011. IE8 was released in 2009.

@zooko

This comment has been minimized.

Show comment
Hide comment
@zooko

zooko Oct 24, 2013

Contributor

I posted the following comment to the mozilla bug (https://bugzilla.mozilla.org/show_bug.cgi?id=927045):

For what it is worth, the qualys ssllabs handshake simulator has been upgraded to add Bing, GoogleBot, Yahoo, and a few other things:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

Also, I tweaked my config for zooko.com, leaving the ciphers string intact as I earlier reported ("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA"), but I tweaked my config by adding SSLv3 to the set of supported protocols, which was previously only TLSv1, TLSv1.1, and TLSv1.2. By adding SSLv3 to the set of supported protocols, the only change on the ssllabs handshake simulator was that IE6/XP became able to connect to zooko.com. (Obligatory link to Microsoft's "PLEASE STOP USING IE6" site: http://www.ie6countdown.com/ .)

Contributor

zooko commented Oct 24, 2013

I posted the following comment to the mozilla bug (https://bugzilla.mozilla.org/show_bug.cgi?id=927045):

For what it is worth, the qualys ssllabs handshake simulator has been upgraded to add Bing, GoogleBot, Yahoo, and a few other things:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

Also, I tweaked my config for zooko.com, leaving the ciphers string intact as I earlier reported ("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DES-CBC3-SHA"), but I tweaked my config by adding SSLv3 to the set of supported protocols, which was previously only TLSv1, TLSv1.1, and TLSv1.2. By adding SSLv3 to the set of supported protocols, the only change on the ssllabs handshake simulator was that IE6/XP became able to connect to zooko.com. (Obligatory link to Microsoft's "PLEASE STOP USING IE6" site: http://www.ie6countdown.com/ .)

@zooko

This comment has been minimized.

Show comment
Hide comment
@zooko

zooko Oct 24, 2013

Contributor

For what it is worth, I've been persuaded by Adam Langley and Nick Matthewson that GCM is hard to implement in a timing-leak-safe way, and I've decided that SHA-1 is just as good as SHA-256 when used in HMAC, so I tweaked my config string to this:

ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DES-CBC3-SHA

Contributor

zooko commented Oct 24, 2013

For what it is worth, I've been persuaded by Adam Langley and Nick Matthewson that GCM is hard to implement in a timing-leak-safe way, and I've decided that SHA-1 is just as good as SHA-256 when used in HMAC, so I tweaked my config string to this:

ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA:DHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-ECDSA-AES128-GCM-SHA256:DES-CBC3-SHA

@ivanr

This comment has been minimized.

Show comment
Hide comment
@ivanr

ivanr Oct 24, 2013

In response to the question about IE8 on Windows XP: On Microsoft platforms, the 1/n-1 split is in Schannel, not in browsers. IIRC, the issue was patched on Windows XP too. It should not matter that IE8 predates BEAST.

ivanr commented Oct 24, 2013

In response to the question about IE8 on Windows XP: On Microsoft platforms, the 1/n-1 split is in Schannel, not in browsers. IIRC, the issue was patched on Windows XP too. It should not matter that IE8 predates BEAST.

@zooko

This comment has been minimized.

Show comment
Hide comment
@zooko

zooko Oct 25, 2013

Contributor

Here is a detailed recipe of someone configuring Twisted web to do better ciphers:

https://github.com/oberstet/scratchbox/blob/master/python/twisted/tips/AAA_TLS.md

Contributor

zooko commented Oct 25, 2013

Here is a detailed recipe of someone configuring Twisted web to do better ciphers:

https://github.com/oberstet/scratchbox/blob/master/python/twisted/tips/AAA_TLS.md

@zooko

This comment has been minimized.

Show comment
Hide comment
@zooko

zooko Oct 25, 2013

Contributor

In my latest experiment with cipher selection, I've decided I don't really like or need GCM nor HMAC-SHA256. Also the TLS analyzer seems to be telling me that it doesn't even recognize the ECDSA options: ECDHE-ECDSA-AES128-SHA and DHE-ECDSA-AES128-SHA. Also I've decided that I don't really like ECDSA.

So my config string can be this very simple thing:

ssl_ciphers ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA;

The TLS handshake simulator shows that this works with all the clients it simulates:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

Bing Oct 2013   TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Chrome 30 / Win 7   TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 10.0.12 ESR / Win 7     TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 17.0.7 ESR / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 21 / Fedora 19  TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Firefox 24 / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Googlebot Oct 2013  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 6 / XP   No FS *     SSL 3   TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS     168
IE 7 / Vista    TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 8 / XP   No FS *     TLS 1.0     TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS     168
IE 8-10 / Win 7     TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 11 / Win 8.1     TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Java 6u45   TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Java 7u25   TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
OpenSSL 0.9.8y  TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
OpenSSL 1.0.1e  TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Opera 17 / Win 7    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 5.1.9 / OS X 10.6.8  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 6 / iOS 6.0.1    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 6.0.4 / OS X 10.8.4  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 7 / OS X 10.9    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Tor 17.0.9 / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Yahoo Slurp Oct 2013    TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128 
Contributor

zooko commented Oct 25, 2013

In my latest experiment with cipher selection, I've decided I don't really like or need GCM nor HMAC-SHA256. Also the TLS analyzer seems to be telling me that it doesn't even recognize the ECDSA options: ECDHE-ECDSA-AES128-SHA and DHE-ECDSA-AES128-SHA. Also I've decided that I don't really like ECDSA.

So my config string can be this very simple thing:

ssl_ciphers ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA;

The TLS handshake simulator shows that this works with all the clients it simulates:

https://www.ssllabs.com/ssltest/analyze.html?d=zooko.com

Bing Oct 2013   TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Chrome 30 / Win 7   TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 10.0.12 ESR / Win 7     TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 17.0.7 ESR / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Firefox 21 / Fedora 19  TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Firefox 24 / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Googlebot Oct 2013  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 6 / XP   No FS *     SSL 3   TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS     168
IE 7 / Vista    TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 8 / XP   No FS *     TLS 1.0     TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS     168
IE 8-10 / Win 7     TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
IE 11 / Win 8.1     TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Java 6u45   TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
Java 7u25   TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
OpenSSL 0.9.8y  TLS 1.0     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS    128
OpenSSL 1.0.1e  TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Opera 17 / Win 7    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 5.1.9 / OS X 10.6.8  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 6 / iOS 6.0.1    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 6.0.4 / OS X 10.8.4  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Safari 7 / OS X 10.9    TLS 1.2     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Tor 17.0.9 / Win 7  TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128
Yahoo Slurp Oct 2013    TLS 1.0     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS    128 
@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Oct 28, 2013

Contributor

Zooko, why don't you like GCM? GCM is the right way (rather than the hacky and still-could-be-vulnerable-to-the-next-clever-idea way) to fix the CBC issues.

Contributor

daira commented Oct 28, 2013

Zooko, why don't you like GCM? GCM is the right way (rather than the hacky and still-could-be-vulnerable-to-the-next-clever-idea way) to fix the CBC issues.

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom

zookoatleastauthoritycom Oct 29, 2013

Member

GCM is apparently hard to implement in a constant-time design.

Adam Langley: https://www.imperialviolet.org/2013/10/07/chacha20.html

Nick Mathewson: "GCM, which is also hard to do in a side-channel-free way in software" — https://lists.torproject.org/pipermail/tor-talk/2013-September/029937.html

See also Matt Green and Colin Percival on AEAD and side-channel (timing) issues: http://blog.cryptographyengineering.com/2011/12/matt-green-smackdown-watch-are-aead.html

Member

zookoatleastauthoritycom commented Oct 29, 2013

GCM is apparently hard to implement in a constant-time design.

Adam Langley: https://www.imperialviolet.org/2013/10/07/chacha20.html

Nick Mathewson: "GCM, which is also hard to do in a side-channel-free way in software" — https://lists.torproject.org/pipermail/tor-talk/2013-September/029937.html

See also Matt Green and Colin Percival on AEAD and side-channel (timing) issues: http://blog.cryptographyengineering.com/2011/12/matt-green-smackdown-watch-are-aead.html

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
Member

zookoatleastauthoritycom commented Oct 29, 2013

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Oct 29, 2013

Contributor

Emilia Käsper, Peter Schwabe
Faster and Timing-Attack Resistant AES-GCM
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
2009
Slides at http://www.chesworkshop.org/ches2009/presentations/01_Session_1/CHES2009_ekasper.pdf

(I agree this doesn't contradict Zooko's and Nick's statements that AES-GCM is hard to implement in constant time, but it is at least possible, and not prohibitively inefficient.)

Contributor

daira commented Oct 29, 2013

Emilia Käsper, Peter Schwabe
Faster and Timing-Attack Resistant AES-GCM
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
2009
Slides at http://www.chesworkshop.org/ches2009/presentations/01_Session_1/CHES2009_ekasper.pdf

(I agree this doesn't contradict Zooko's and Nick's statements that AES-GCM is hard to implement in constant time, but it is at least possible, and not prohibitively inefficient.)

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Oct 30, 2013

Contributor

Also note that Niels Ferguson's main attack doesn't materially affect the use of GCM in TLS (where the nonce is always 96 bits and the tag always 128 bits).

Contributor

daira commented Oct 30, 2013

Also note that Niels Ferguson's main attack doesn't materially affect the use of GCM in TLS (where the nonce is always 96 bits and the tag always 128 bits).

@zooko

This comment has been minimized.

Show comment
Hide comment
@zooko

zooko Oct 30, 2013

Contributor

Also, TLS's CBC+HMAC isn't that perfectly easy to implement in constant time, either! http://blog.cryptographyengineering.com/2013/02/attack-of-week-tls-timing-oracles.html

But, I still think that the current TLS CBC+HMAC implementations are more likely to be better at this than the current GCM implementations. I could be wrong about that — I haven't checked!

Contributor

zooko commented Oct 30, 2013

Also, TLS's CBC+HMAC isn't that perfectly easy to implement in constant time, either! http://blog.cryptographyengineering.com/2013/02/attack-of-week-tls-timing-oracles.html

But, I still think that the current TLS CBC+HMAC implementations are more likely to be better at this than the current GCM implementations. I could be wrong about that — I haven't checked!

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom

zookoatleastauthoritycom Apr 16, 2014

Member

This has been fixed in Twisted trunk, but not yet in a new Twisted release: https://twistedmatrix.com/trac/ticket/6663

Member

zookoatleastauthoritycom commented Apr 16, 2014

This has been fixed in Twisted trunk, but not yet in a new Twisted release: https://twistedmatrix.com/trac/ticket/6663

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Dec 9, 2014

Contributor

I think it should be possible to do without that patch, and switch to whatever the cool kids are now using to set cert options. We were still using it just because it works and we were applying an OTAAT (change One Thing At A Time) policy to server upgrades. But getting forward secrecy working is sufficient justification to change it.

Contributor

daira commented Dec 9, 2014

I think it should be possible to do without that patch, and switch to whatever the cool kids are now using to set cert options. We were still using it just because it works and we were applying an OTAAT (change One Thing At A Time) policy to server upgrades. But getting forward secrecy working is sufficient justification to change it.

@david415

This comment has been minimized.

Show comment
Hide comment
@david415

david415 Dec 9, 2014

Member

OK... I think that the cool kids would do something like this:

https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
david415@febe9c5

However I might have to change that a tiny bit to support ASN1 instead of PEM if that's what we are using.

Member

david415 commented Dec 9, 2014

OK... I think that the cool kids would do something like this:

https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
david415@febe9c5

However I might have to change that a tiny bit to support ASN1 instead of PEM if that's what we are using.

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Dec 9, 2014

Contributor

I built OpenSSL 1.0.1j from source (in /home/website/openssl/openssl-1.0.1j) like this:

$ wget https://www.openssl.org/source/openssl-1.0.1j.tar.gz
$ sha1sum openssl-1.0.1j.tar.gz
# cff86857507624f0ad42d922bb6f77c4f1c2b819
$ tar zxf openssl-1.0.1j.tar.gz
$ cd openssl-1.0.1j/
$ ./config no-shared no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2
$ make depend
$ make

Security bugs fixed in 1.0.1j: https://www.openssl.org/news/openssl-1.0.1-notes.html

Contributor

daira commented Dec 9, 2014

I built OpenSSL 1.0.1j from source (in /home/website/openssl/openssl-1.0.1j) like this:

$ wget https://www.openssl.org/source/openssl-1.0.1j.tar.gz
$ sha1sum openssl-1.0.1j.tar.gz
# cff86857507624f0ad42d922bb6f77c4f1c2b819
$ tar zxf openssl-1.0.1j.tar.gz
$ cd openssl-1.0.1j/
$ ./config no-shared no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2
$ make depend
$ make

Security bugs fixed in 1.0.1j: https://www.openssl.org/news/openssl-1.0.1-notes.html

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Dec 10, 2014

Contributor

I got forward secrecy working! (for most clients) I used an ugly hack that sets a private variable of OpenSSLCertificateOptions, though. A better way would be to construct the OpenSSLCertificateOptions object directly via its constructor.

https://github.com/LeastAuthority/leastauthority.com/commits/david-92-improve-cipher-list-1

Contributor

daira commented Dec 10, 2014

I got forward secrecy working! (for most clients) I used an ugly hack that sets a private variable of OpenSSLCertificateOptions, though. A better way would be to construct the OpenSSLCertificateOptions object directly via its constructor.

https://github.com/LeastAuthority/leastauthority.com/commits/david-92-improve-cipher-list-1

@david415

This comment has been minimized.

Show comment
Hide comment
@david415

david415 Dec 10, 2014

Member

wow cool! did the certificate chain work?

It looks like we don't have to set the OP_NO_SSLv3 option anymore since Twisted does it:
https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/_sslverify.py#L1347

I'm going to run some experiments and post the results here.

Member

david415 commented Dec 10, 2014

wow cool! did the certificate chain work?

It looks like we don't have to set the OP_NO_SSLv3 option anymore since Twisted does it:
https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/_sslverify.py#L1347

I'm going to run some experiments and post the results here.

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Dec 10, 2014

Contributor

I'm not sure about the cert chain, I didn't have time to check it last night.

Contributor

daira commented Dec 10, 2014

I'm not sure about the cert chain, I didn't have time to check it last night.

@david415

This comment has been minimized.

Show comment
Hide comment
@david415

david415 Dec 10, 2014

Member

I was able to test lae_site/main.py at this new commit id which removes the hacky ssl context option setting:
david415@2c115bd

Still not vulnerable to the POODLE attack.... but I had to test several times... because it seems that qualys was caching previous results even though I tested with the url with a no cache option.

qualys ssllabs says "Chain Issues Incomplete"

Additionally it's failing these tests:

  • Secure Client-Initiated Renegotiation Supported DoS DANGER
  • Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported

I suspect we need the certificate chain to be load properly for all this to work in production.
Is that the case?

aha! OpenSSLCertificateOptions will call add_extra_chain_cert if we set extraCertChain...
I think we might need to put the extra certs into it's own file so we can pass it to extraCertChain
separately from certificate.

https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/_sslverify.py#L1441

https://pythonhosted.org/pyOpenSSL/api/ssl.html#OpenSSL.SSL.Context.add_extra_chain_cert

further experiment results forthcoming...

Member

david415 commented Dec 10, 2014

I was able to test lae_site/main.py at this new commit id which removes the hacky ssl context option setting:
david415@2c115bd

Still not vulnerable to the POODLE attack.... but I had to test several times... because it seems that qualys was caching previous results even though I tested with the url with a no cache option.

qualys ssllabs says "Chain Issues Incomplete"

Additionally it's failing these tests:

  • Secure Client-Initiated Renegotiation Supported DoS DANGER
  • Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported

I suspect we need the certificate chain to be load properly for all this to work in production.
Is that the case?

aha! OpenSSLCertificateOptions will call add_extra_chain_cert if we set extraCertChain...
I think we might need to put the extra certs into it's own file so we can pass it to extraCertChain
separately from certificate.

https://twistedmatrix.com/trac/browser/tags/releases/twisted-14.0.2/twisted/internet/_sslverify.py#L1441

https://pythonhosted.org/pyOpenSSL/api/ssl.html#OpenSSL.SSL.Context.add_extra_chain_cert

further experiment results forthcoming...

@david415

This comment has been minimized.

Show comment
Hide comment
@david415

david415 Dec 10, 2014

Member

Oh I see that pyopenssl's add_extra_chain_cert(cert) takes an X.509 cert chain but
use_certificate_chain_file which we previously were using takes a PEM encoded cert chain file... so I'm going to dig deeper to see what can be done.

Member

david415 commented Dec 10, 2014

Oh I see that pyopenssl's add_extra_chain_cert(cert) takes an X.509 cert chain but
use_certificate_chain_file which we previously were using takes a PEM encoded cert chain file... so I'm going to dig deeper to see what can be done.

@david415

This comment has been minimized.

Show comment
Hide comment
@david415

david415 Dec 10, 2014

Member

I found an excellent code example that demonstrates our use-case of key and cert file where the cert file contains additional certificate chains:
https://pypi.python.org/pypi/pem/0.3.0

I have made these changes in my branch here:
https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
in this commit:
david415@992371d

AND I'm fairly confident that it will work... however I have not gotten a chance to test it because the pem python module is not installed... So let's test this soon once we install the pem module!

Member

david415 commented Dec 10, 2014

I found an excellent code example that demonstrates our use-case of key and cert file where the cert file contains additional certificate chains:
https://pypi.python.org/pypi/pem/0.3.0

I have made these changes in my branch here:
https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
in this commit:
david415@992371d

AND I'm fairly confident that it will work... however I have not gotten a chance to test it because the pem python module is not installed... So let's test this soon once we install the pem module!

@glyph

This comment has been minimized.

Show comment
Hide comment
@glyph

glyph Dec 10, 2014

Hi all. I just ran across this ticket and read the last dozen or so comments here.

I'm sorry Twisted's API for this is so bad. My only consolation is that (A) it is getting better (B) it is actually better than most things and (C) it seems like the fact that it got better may have enabled you to at least figure out how to do the right thing in the most recent release, even if it wasn't entirely straightforward. The guiding design principle for far too long was "we're not crypto experts, surely OpenSSL's API is sufficient for this stuff", and obviously it isn't.

Anyway, sorry for the inconvenience, I just wanted to say we are actively aware that this is a problem and have been putting a lot of effort into fixing it.

glyph commented Dec 10, 2014

Hi all. I just ran across this ticket and read the last dozen or so comments here.

I'm sorry Twisted's API for this is so bad. My only consolation is that (A) it is getting better (B) it is actually better than most things and (C) it seems like the fact that it got better may have enabled you to at least figure out how to do the right thing in the most recent release, even if it wasn't entirely straightforward. The guiding design principle for far too long was "we're not crypto experts, surely OpenSSL's API is sufficient for this stuff", and obviously it isn't.

Anyway, sorry for the inconvenience, I just wanted to say we are actively aware that this is a problem and have been putting a lot of effort into fixing it.

@david415

This comment has been minimized.

Show comment
Hide comment
@david415

david415 Dec 10, 2014

Member

howdy Glyph... yes it's definitely getting better I see.

Daira and Nathan: I'm going to test this code I wrote tomorrow or whenever Nathan or Daira fix a test environment for me. Nathan got me setup with a different machine but it's missing flappserver (whatever that is). I guess Daira and I will fix this tomorrow during our scheduled pairing.

Member

david415 commented Dec 10, 2014

howdy Glyph... yes it's definitely getting better I see.

Daira and Nathan: I'm going to test this code I wrote tomorrow or whenever Nathan or Daira fix a test environment for me. Nathan got me setup with a different machine but it's missing flappserver (whatever that is). I guess Daira and I will fix this tomorrow during our scheduled pairing.

@david415

This comment has been minimized.

Show comment
Hide comment
@david415

david415 Dec 11, 2014

Member

OK so I made another commit...
https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
david415@d6d2741

But it doesn't work so I'm going to try and dig deeper tomorrow.
Daira: feel free to solve this problem ;-)

[Failure instance: Traceback: <class 'OpenSSL.crypto.Error'>: []
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:577:_runCallbacks
/home/website/leastauthority.com/lae_util/flapp.py:29:_got_rref
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:382:callback
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:490:_startRunCallbacks
--- ---
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:577:_runCallbacks
/home/website/leastauthority.com/lae_site/main.py:101:
/home/website/leastauthority.com/lae_site/main.py:71:main
/usr/local/lib/python2.7/dist-packages/twisted/internet/_sslverify.py:619:loadPEM
/usr/local/lib/python2.7/dist-packages/twisted/internet/_sslverify.py:725:load
/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:2010:load_privatekey
/usr/local/lib/python2.7/dist-packages/OpenSSL/_util.py:22:exception_from_error_queue

Member

david415 commented Dec 11, 2014

OK so I made another commit...
https://github.com/david415/leastauthority.com/tree/david-92-improve-cipher-list-1
david415@d6d2741

But it doesn't work so I'm going to try and dig deeper tomorrow.
Daira: feel free to solve this problem ;-)

[Failure instance: Traceback: <class 'OpenSSL.crypto.Error'>: []
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:577:_runCallbacks
/home/website/leastauthority.com/lae_util/flapp.py:29:_got_rref
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:382:callback
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:490:_startRunCallbacks
--- ---
/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py:577:_runCallbacks
/home/website/leastauthority.com/lae_site/main.py:101:
/home/website/leastauthority.com/lae_site/main.py:71:main
/usr/local/lib/python2.7/dist-packages/twisted/internet/_sslverify.py:619:loadPEM
/usr/local/lib/python2.7/dist-packages/twisted/internet/_sslverify.py:725:load
/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:2010:load_privatekey
/usr/local/lib/python2.7/dist-packages/OpenSSL/_util.py:22:exception_from_error_queue

daira added a commit that referenced this issue Dec 11, 2014

Update code for loading cert chain to work with Twisted 14.0.2, witho…
…ut needing a patch. refs #92

Signed-off-by: Daira Hopwood <daira@leastauthority.com>
@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Dec 11, 2014

Contributor

92-improve-cipher-list-3 now has the updated code, but I'm having trouble logging into ubuntu@leastauthority.com to make the necessary updates to Twisted and pyOpenSSL.

Contributor

daira commented Dec 11, 2014

92-improve-cipher-list-3 now has the updated code, but I'm having trouble logging into ubuntu@leastauthority.com to make the necessary updates to Twisted and pyOpenSSL.

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Jan 15, 2015

Contributor

This is what we did to fix the production site:

sudo dpkg -r python-twisted-core python-twisted-conch python-twisted-mail python-twisted-lore python-twisted-names python-twisted-news python-twisted-runner python-twisted-web python-twisted-words python-nevow python-foolscap landscape-client landscape-common
sudo pip install foolscap service_identity 'Twisted==14.0.2' pem
sudo apt-get install libssl-dev build-essential python-dev libffi-dev
sudo dpkg -r python-openssl
sudo pip install 'pyOpenSSL >= 0.14'

and switch to the 92-improve-cipher-list-3 branch.

https://www.ssllabs.com/ssltest/analyze.html?d=leastauthority.com&clearCache=on now gives us an A.

Contributor

daira commented Jan 15, 2015

This is what we did to fix the production site:

sudo dpkg -r python-twisted-core python-twisted-conch python-twisted-mail python-twisted-lore python-twisted-names python-twisted-news python-twisted-runner python-twisted-web python-twisted-words python-nevow python-foolscap landscape-client landscape-common
sudo pip install foolscap service_identity 'Twisted==14.0.2' pem
sudo apt-get install libssl-dev build-essential python-dev libffi-dev
sudo dpkg -r python-openssl
sudo pip install 'pyOpenSSL >= 0.14'

and switch to the 92-improve-cipher-list-3 branch.

https://www.ssllabs.com/ssltest/analyze.html?d=leastauthority.com&clearCache=on now gives us an A.

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Jan 15, 2015

Contributor

This ticket should not be closed until we've updated the infrastructure deployment to automatically reach the same state we got to above.

Contributor

daira commented Jan 15, 2015

This ticket should not be closed until we've updated the infrastructure deployment to automatically reach the same state we got to above.

@david415 david415 closed this Jan 16, 2015

@david415 david415 reopened this Jan 16, 2015

@david415

This comment has been minimized.

Show comment
Hide comment
@david415

david415 Jan 16, 2015

Member

oh? yes... i agree. we should update the deployment.

Member

david415 commented Jan 16, 2015

oh? yes... i agree. we should update the deployment.

@daira daira changed the title from Insecure ciphers are accepted by https://leastauthority.com to update infrastructure deployment to solve: Insecure ciphers are accepted by https://leastauthority.com Jan 16, 2015

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom

zookoatleastauthoritycom Jan 16, 2015

Member

Judging from this conversation on twitter (https://twitter.com/mik235/status/556201250513895425), the ideal modern cipher suite spec string is ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA.

Member

zookoatleastauthoritycom commented Jan 16, 2015

Judging from this conversation on twitter (https://twitter.com/mik235/status/556201250513895425), the ideal modern cipher suite spec string is ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA.

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Jan 18, 2015

Contributor

The default cipher suite list for Twisted 14.0.2 looks perfectly reasonable to me; I'm loath to override it without good reason.

Picking up on another comment on the Twitter thread: we are secure against POODLE attacks on TLS according to the ssllabs test.

Contributor

daira commented Jan 18, 2015

The default cipher suite list for Twisted 14.0.2 looks perfectly reasonable to me; I'm loath to override it without good reason.

Picking up on another comment on the Twitter thread: we are secure against POODLE attacks on TLS according to the ssllabs test.

@exarkun

This comment has been minimized.

Show comment
Hide comment
@exarkun

exarkun Feb 9, 2017

Contributor

We're using that now. The ssllabs report looks good now. Considering this fixed.

Contributor

exarkun commented Feb 9, 2017

We're using that now. The ssllabs report looks good now. Considering this fixed.

@exarkun exarkun closed this Feb 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment