Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove deprecated ciphers and protocols #190

Closed
wants to merge 1 commit into from
Closed

Conversation

@aeris
Copy link
Contributor

aeris commented Feb 16, 2018

TLSv1.0 & TLSv1.1 suffer from POODLE and other padding oracle attack
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support is dropped from any decent user agent and can lead to mitm attack (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from sweet32

So I recommend using only the EECDH+CHACHA20:EECDH+AES cipher suite, which has quite good compatibility and a very better security than the actual cipher suite.

TLSv1.0 & TLSv1.1 suffer from [POODLE](https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](https://www.digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites/) from any decent user agent and can lead to [mitm attack](https://media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](https://sweet32.info/)

So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](https://cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.
@Zumochi

This comment has been minimized.

Copy link

Zumochi commented Feb 22, 2018

Using only a single cipher might be a bit overkill, but I do agree it can be updated.

However, instead of updating it all the time, maybe it would be better to refer to for example Mozilla's recommended configurations instead to give freedom of choice to the user.

@aeris

This comment has been minimized.

Copy link
Contributor Author

aeris commented Feb 22, 2018

I personaly disagree with the Mozilla recommended configuration.
"Modern" cipher suite suffers from compatibility troubles mainly because drops SHA-1 cipher suite, and so is mostly unusable in practice.
On the contrary "Intermediate" is too weak because of non-PFS cipher suite or deprecated one (3DES because of crypto weakness, DHE because of browser deprecation).

And in both cases, I disagree about the expanded cipher suite list, shortcut form like ECDHE+AES:!SHA is much more simple to audit, to understand and to maintain than complete expanded form ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256. Even if openssl suffers from very strange behaviour on expansion.

And my proposed cipher suite is not a single cipher, but 18 ciphers :

  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-CCM8
  • ECDHE-ECDSA-AES256-CCM
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-CCM8
  • ECDHE-ECDSA-AES128-CCM
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
@biinari

This comment has been minimized.

Copy link

biinari commented Jun 14, 2018

It's worth noting that PCI DSS will require websites to drop TLS 1.0 by 30 June 2018 https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls as well as requiring servers to be setup with secure cipher suites (though without specifically stating which they consider to be secure).

From what I can see, ECDHE+AES:!SHA has similar browser compatibility to TLS 1.1 (just a few old ones support TLS 1.1 without supporting those ciphers)
https://cryptcheck.fr/suite/ECDHE+AES:!SHA
https://caniuse.com/#feat=tls1-1

jdkoelsch added a commit to SpryDigital/server-configs-nginx that referenced this pull request Aug 27, 2018
Per h5bp#190
@LeoColomb

This comment has been minimized.

Copy link
Member

LeoColomb commented Nov 23, 2018

@aeris Thanks for your PR! 👍 (and sorry for late reply)

Could you update comments to reflect this change? Thanks!

@LeoColomb LeoColomb force-pushed the h5bp:master branch from 4a06bfe to 8f186e9 Nov 23, 2018
LeoColomb added a commit that referenced this pull request Nov 25, 2018
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)

So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.

Fix #201
Fix #183
Fix #190
Prepare #180

Co-authored-by: aeris <aeris@users.noreply.github.com>
LeoColomb added a commit that referenced this pull request Nov 29, 2018
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)

So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.

Fix #201
Fix #183
Fix #190
Prepare #180

Co-authored-by: aeris <aeris@users.noreply.github.com>
@haggen

This comment has been minimized.

Copy link

haggen commented Sep 12, 2019

Hi! I'm trying to validate a site with a client specifications and I'm running into the issue that the report says CBC ciphers are still enabled, even though I'm using policy_modern.conf in my configuration.

The thing is when I test the ciphers from the modern policy using openssl cipher it does not list any of the CBC ciphers, as you can see below, ran on the server:

$ openssl ciphers -v 'EECDH+CHACHA20:EECDH+AES'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1

So my question is: is the current modern policy including these weak ciphers, and if not, then any ideas on why the report says they're enabled? I'm using the latest release of server-config-nginx and no interefing/invalid settings were found.

@LeoColomb

This comment has been minimized.

Copy link
Member

LeoColomb commented Sep 14, 2019

@haggen If openssl doesn't list them then they are not included in the list by default.

  • Are you sure you don't have any proxy or something between client and server?
  • Are you sure the nginx configuration is valid and do use that policy?
  • Are you sure your validation tool is right?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.