-
Notifications
You must be signed in to change notification settings - Fork 779
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removes non-FS ciphers to make SSLLabs not warn on weak ciphers #4025
Conversation
It seems fine but probably not. #4007 |
Ok, so probably we should remove the TLS v1.3 portion out of this patch then, and just fix the weak ciphers that are in TLS < v1.3 ? We probably should make sure we can get the TLS v1.3 ciphers in v8.0.x of ATS as well IMO, particularly if we need to add a new configuration (I'm hoping we can avoid a new config). |
This is as reported by SSLLabs, and doing this change eliminates their warnings about weak non-FS ciphers.
I removed the TLS13_ portion from this PR. The Weak ciphers change is still as above (same effect on the SSLLabs checks). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The WEAK ciphers are called below in OpenSSL. And I confirmed these are removed.
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384
https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
@masaori335 @maskit Please confirm that you think this is a good change for 8.0.0 or not. |
I'm pretty sure that this is a good change for 8.0.0. According to "Handshake Simulation" on SSLLabs, no client selects these ciphers. It looks no critical side effect of removing them. |
Cherry-picked to 8.0.x |
This is as reported by SSLLabs, and doing this change eliminates
their warnings about weak non-FS ciphers.