Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SSL: add MumbleSSL::defaultOpenSSLCipherString().
This commit adds a new method to MumbleSSL that returns Mumble's preferred cipher suites represented in the OpenSSL cipher list format. This commit does not hook up the function to anything. It merely implements it. Previously, Mumble relied on OpenSSL's default cipher suites. However, that decision has increasingly turned out to be unwise. Often, new TLS vulnerabilities require server admins and users to be able to change the cipher suites advertised by their software to help mitigate the damage. This was not previously possible in Mumble. The other thing that prompted this change is the Logjam TLS vulnerablity (https://weakdh.org/, CVE-2015-4000). Mumble is not vulnerable to Logjam, because Mumble has never allowed export grade DH groups. However, one of the other key takeaways from the Logjam paper, "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", is that the Internet community should move towards DH groups bigger than 1024 bits, and preferably use unique groups on a per-server basis. Unfortunately, neither of these two solutions are possible with API that Qt provides for TLS. To remedy this, we instead drop support for non-Elliptic Curve DH in the default cipher configuration. We don't have any legacy clients to support that can only use DH, so this is fine. The OpenSSL cipher list in MumbleSSL::defaultOpenSSLCipherString() evaluates to the following set of cipher suites, in order of preference: ECDHE-RSA-AES256-GCM-SHA384 (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) ECDHE-ECDSA-AES256-GCM-SHA384 (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) ECDHE-RSA-AES128-GCM-SHA256 (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) ECDHE-ECDSA-AES128-GCM-SHA256 (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) AES256-SHA (TLS_RSA_WITH_AES_256_CBC_SHA) AES128-SHA (TLS_RSA_WITH_AES_128_CBC_SHA) The CBC-mode cipher suites are included for backwards compatibility with older 1.2.x Mumble clients and other implementations that only use TLSv1.0.
- Loading branch information