Remove deprecated ciphers and protocols

[aeris]

TLSv1.0 & TLSv1.1 suffer from POODLE and other padding oracle attack
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support is dropped from any decent user agent and can lead to mitm attack (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from sweet32

So I recommend using only the EECDH+CHACHA20:EECDH+AES cipher suite, which has quite good compatibility and a very better security than the actual cipher suite.

[Zumochi]

Using only a single cipher might be a bit overkill, but I do agree it can be updated.

However, instead of updating it all the time, maybe it would be better to refer to for example Mozilla's recommended configurations instead to give freedom of choice to the user.

[aeris]

I personaly disagree with the Mozilla recommended configuration.
"Modern" cipher suite suffers from compatibility troubles mainly because drops SHA-1 cipher suite, and so is mostly unusable in practice.
On the contrary "Intermediate" is too weak because of non-PFS cipher suite or deprecated one (3DES because of crypto weakness, DHE because of browser deprecation).

And in both cases, I disagree about the expanded cipher suite list, shortcut form like ECDHE+AES:!SHA is much more simple to audit, to understand and to maintain than complete expanded form ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256. Even if openssl suffers from very strange behaviour on expansion.

And my proposed cipher suite is not a single cipher, but 18 ciphers :

• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-RSA-CHACHA20-POLY1305
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES256-CCM8
• ECDHE-ECDSA-AES256-CCM
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES128-CCM8
• ECDHE-ECDSA-AES128-CCM
• ECDHE-ECDSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-RSA-AES128-SHA256
• ECDHE-ECDSA-AES256-SHA
• ECDHE-RSA-AES256-SHA
• ECDHE-ECDSA-AES128-SHA
• ECDHE-RSA-AES128-SHA

[biinari]

It's worth noting that PCI DSS will require websites to drop TLS 1.0 by 30 June 2018 https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls as well as requiring servers to be setup with secure cipher suites (though without specifically stating which they consider to be secure).

From what I can see, ECDHE+AES:!SHA has similar browser compatibility to TLS 1.1 (just a few old ones support TLS 1.1 without supporting those ciphers)
https://cryptcheck.fr/suite/ECDHE+AES:!SHA
https://caniuse.com/#feat=tls1-1

[LeoColomb]

@aeris Thanks for your PR! 👍 (and sorry for late reply)

Could you update comments to reflect this change? Thanks!

[haggen]

Hi! I'm trying to validate a site with a client specifications and I'm running into the issue that the report says CBC ciphers are still enabled, even though I'm using policy_modern.conf in my configuration.

The thing is when I test the ciphers from the modern policy using openssl cipher it does not list any of the CBC ciphers, as you can see below, ran on the server:

$ openssl ciphers -v 'EECDH+CHACHA20:EECDH+AES'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1

So my question is: is the current modern policy including these weak ciphers, and if not, then any ideas on why the report says they're enabled? I'm using the latest release of server-config-nginx and no interefing/invalid settings were found.

[LeoColomb]

@haggen If openssl doesn't list them then they are not included in the list by default.

• Are you sure you don't have any proxy or something between client and server?
• Are you sure the nginx configuration is valid and do use that policy?
• Are you sure your validation tool is right?