Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal to disable old weak ciphers in openssl unless using a legacy branch or builds #3717

Closed
gripedthumbtacks opened this issue Jun 20, 2017 · 3 comments
Closed

Proposal to disable old weak ciphers in openssl unless using a legacy branch or builds #3717

gripedthumbtacks opened this issue Jun 20, 2017 · 3 comments

Comments

@gripedthumbtacks
Copy link

Proposal to disable old weak ciphers in openssl unless using a legacy branch or builds

RC4, DES 3DES, and CBC cipher suites are all known to have security issues. Why are they still being included in openssl and made available? Would it be possible to split openssl into a "next-gen" branch and also a "legacy" branch? This would help prevent TLS / website operators from using insecure defaults they didn't expect, or settings they just assumed were "secure by default". Eg, could the default be "openssl-ng" unless someone wanted to acquire "openssl-legacy" for backward compatibility reasons? We are discussing this at the h2o web server github. Team has suggested the changes be made in openssl instead of providing secure defaults at the h2o web server project level via a default enforcement or config.

h2o/h2o#1334 (comment)

Thoughts?
@gripedthumbtacks gripedthumbtacks mentioned this issue Jun 20, 2017
Closed
@kroeckx
Copy link
Member

kroeckx commented Jun 20, 2017

RC4 and DES are disabled by default. You need to use a compile time option to enable them. We still have some CBC suites enabled by default for compatibility reasons, but they're priority is the lowest.

This is what the default looks like in 1.1.0:

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

@gripedthumbtacks
Copy link
Author

Thanks. Any reason not to disable all the known weakened cipher suites including those with CBC by default? And why not enforce TLSv1.2 by default and leave off SSLv3 and TLSv1? It seems to me that only legacy clients require anything less than the following:

minimum-version: TLSv1.2
cipher-suite: ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
cipher-preference: server

The above config supports all non-legacy clients in a robust manner with no CBC (known attacks) nor SHA-1 (broken in some scenarios). Anything not in that list above is technically an End-of-Life client, such as Windows Vista, IE8-10, OS X 10.10, Android 4.3, etc.

@kroeckx
Copy link
Member

kroeckx commented Jun 20, 2017

Please note that there is a very long tail of old software that do not support modern TLS versions or ciphers. If you disable all non-AEAD ciphers and older TLS versions you will not be able to talk to some other software anymore. So for compatibility reasons they are still enabled for now. Note that your browser also supports those ciphers. I'm sure that at some point we will disable them by default, and I hope to do that soon, but I think it's still to early to do so.

Please note that OpenSSL is used as both client and server, and those defaults apply to both of them.

If you want to restrict your server to only use TLS 1.2 or higher, I suggest you make it call SSL_CTX_set_min_proto_version() with TLS1_2_VERSION or if using 1.0.2 use SSL_CTX_set_options() wit SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gripedthumbtacks @kroeckx