Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: Available ciphers list lacks AES-256 and SHA-2 based combination #9894

Closed
fmatte7 opened this issue Feb 16, 2015 · 8 comments
Closed
Assignees
Milestone

Comments

@fmatte7
Copy link

@fmatte7 fmatte7 commented Feb 16, 2015

The available ciphers list lacks an option with the combination of AES-256 and SHA-2. As far as I can tell there are only AES-256 options with SHA-1, and AES-128 options with SHA-2.

This is a problem because many companies (and government organizations) have cryptographic guidelines, of which most are starting to forbid SHA-1 and AES-128 based combinations. For those organizations the lack of suitable combination is a blocker for usage of crypto/TLS. (You can't negotiate with compliance people, they are a bit like terrorists, unfortunately.)

For example:

I build integration APIs that use client certificate authentication. I am going to be soon simply forbidden to use Go for that. I could add an extra web server (Apache, nginx, .. name your poison) but then the problem would be how I could absolutely reliably authenticate the web server against the API server. The most reliable method would be again mutual certificate authentication, requiring again AES-256 and SHA-2... Also, bringing in 3rd party library or daemon sounds too heavy solution for maintenance for me, requiring audit & accreditation process...

@fmatte7

This comment has been minimized.

Copy link
Author

@fmatte7 fmatte7 commented Feb 16, 2015

Compare with openSSL's available cipher list. Several good options available:

https://www.openssl.org/docs/apps/ciphers.html#tls_v1_2_cipher_suites

IANA's List for comparison:

http://www.iana.org/assignments/tls-parameters/tls-parameters.xml

@bradfitz bradfitz added this to the Go1.5Maybe milestone Feb 18, 2015
@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Feb 23, 2015

Is AES-256-GCM not sufficient?

@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Feb 23, 2015

(Preemptively closing this because the initial premise, that we don't support AES-256+SHA-2, is incorrect. You can still followup if I've misunderstood something.)

@agl agl closed this Feb 23, 2015
@flaggid7

This comment has been minimized.

Copy link

@flaggid7 flaggid7 commented Feb 24, 2015

You are incorrect, and the premise that AES-256+SHA-2 is not supported is correct. You can see this very very clearly if you read the crypto/tls.go and take a look at how the ciphersets are being built. There isn't any possible way that the code used in crypto/tls.go ever calls SHA-2 functions from crypto/sha2whatever. SHA-2 libraries are not ever even imported.

You can also verify this using a very simple approach. Using a very helpful testing script found from superuser.com (http://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of), against simple ListenAndServeTLS, ignoring all other considerations such as key agreement protocols and ssl/TLS version (neither of the implementations seem to be really picky about that, doesn't change the results) the results are in fact following.

Commonly compliant combinations:

Testing ECDHE-RSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-SHA256...NO (sslv3 alert handshake failure)

Ok. There are couple on that list you probably shouldn't use in real life. The point is however: Not single AES-256 and SHA-2 based combination is supported by crypto/tls. You can't even force such combination by configuring net/http and crypto/tls, the required implementation details are simply missing from crypto/tls.go.

Commonly noncompliant combinations:

Testing ECDHE-RSA-AES256-SHA...YES
Testing ECDHE-ECDSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES
Testing CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CBC-SHA...NO (no ciphers available)
Testing ECDHE-RSA-AES128-GCM-SHA256...YES
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA...YES
Testing ECDHE-ECDSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-SEED-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA...YES
Testing SEED-SHA...NO (sslv3 alert handshake failure)
Testing CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing IDEA-CBC-SHA...NO (sslv3 alert handshake failure)
Testing IDEA-CBC-MD5...NO (no ciphers available)
Testing RC2-CBC-MD5...NO (no ciphers available)
Testing PSK-AES128-CBC-SHA...NO (no ciphers available)
Testing KRB5-IDEA-CBC-SHA...NO (no ciphers available)
Testing KRB5-IDEA-CBC-MD5...NO (no ciphers available)
Testing ECDHE-RSA-RC4-SHA...YES
Testing ECDHE-ECDSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing RC4-SHA...YES
Testing RC4-MD5...NO (sslv3 alert handshake failure)
Testing RC4-MD5...NO (sslv3 alert handshake failure)
Testing PSK-RC4-SHA...NO (no ciphers available)
Testing KRB5-RC4-SHA...NO (no ciphers available)
Testing KRB5-RC4-MD5...NO (no ciphers available)
Testing ECDHE-RSA-DES-CBC3-SHA...YES
Testing ECDHE-ECDSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-DSS-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ADH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC3-SHA...YES
Testing DES-CBC3-MD5...NO (no ciphers available)
Testing PSK-3DES-EDE-CBC-SHA...NO (no ciphers available)
Testing KRB5-DES-CBC3-SHA...NO (no ciphers available)
Testing KRB5-DES-CBC3-MD5...NO (no ciphers available)
Testing EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC-MD5...NO (no ciphers available)
Testing KRB5-DES-CBC-SHA...NO (no ciphers available)
Testing KRB5-DES-CBC-MD5...NO (no ciphers available)
Testing EXP-EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC2-CBC-MD5...NO (sslv3 alert handshake failure)
Testing EXP-KRB5-RC2-CBC-SHA...NO (no ciphers available)
Testing EXP-KRB5-DES-CBC-SHA...NO (no ciphers available)
Testing EXP-KRB5-RC2-CBC-MD5...NO (no ciphers available)
Testing EXP-KRB5-DES-CBC-MD5...NO (no ciphers available)
Testing EXP-ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EXP-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EXP-KRB5-RC4-SHA...NO (no ciphers available)
Testing EXP-KRB5-RC4-MD5...NO (no ciphers available)
Testing ECDHE-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA256...NO (sslv3 alert handshake failure)
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)
@tv42

This comment has been minimized.

@RalphCorderoy

This comment has been minimized.

Copy link

@RalphCorderoy RalphCorderoy commented Nov 6, 2015

@flaggid7, what is your conclusion on this? I see the ticket remains Closed.

I'm finding finance houses are offering these four due to their corporate policies and so I can't connect to them.

TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

These two are the closest in cipherSuites, but are SHA1.

{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},  
{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},  

It does seem as if crypto/tls's users should be able to specify suites, or else the default list should be bigger even if there are many that are suiteDefaultOff to allow the caller to specify them.

@agl, please correct me if I've got the wrong end of the stick.

@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Nov 14, 2015

Based on the above, it does seem that we could reasonably offer TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384

@agl agl reopened this Nov 14, 2015
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Nov 15, 2015

CL https://golang.org/cl/16924 mentions this issue.

@minux minux closed this in deb0961 Nov 15, 2015
@golang golang locked and limited conversation to collaborators Nov 16, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
…256_GCM_SHA384 cipher suites

Fixes golang#9894.

Change-Id: I9c7ce771df2e2d1c99a06f800dce63c4e1875993
Reviewed-on: https://go-review.googlesource.com/16924
Run-TryBot: Minux Ma <minux@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
…256_GCM_SHA384 cipher suites

Fixes golang#9894.

Change-Id: I9c7ce771df2e2d1c99a06f800dce63c4e1875993
Reviewed-on: https://go-review.googlesource.com/16924
Run-TryBot: Minux Ma <minux@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants
You can’t perform that action at this time.