-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal to disable old weak ciphers in openssl unless using a legacy branch or builds #3717
Comments
RC4 and DES are disabled by default. You need to use a compile time option to enable them. We still have some CBC suites enabled by default for compatibility reasons, but they're priority is the lowest. This is what the default looks like in 1.1.0:
|
Thanks. Any reason not to disable all the known weakened cipher suites including those with CBC by default? And why not enforce TLSv1.2 by default and leave off SSLv3 and TLSv1? It seems to me that only legacy clients require anything less than the following: minimum-version: TLSv1.2 The above config supports all non-legacy clients in a robust manner with no CBC (known attacks) nor SHA-1 (broken in some scenarios). Anything not in that list above is technically an End-of-Life client, such as Windows Vista, IE8-10, OS X 10.10, Android 4.3, etc. |
Please note that there is a very long tail of old software that do not support modern TLS versions or ciphers. If you disable all non-AEAD ciphers and older TLS versions you will not be able to talk to some other software anymore. So for compatibility reasons they are still enabled for now. Note that your browser also supports those ciphers. I'm sure that at some point we will disable them by default, and I hope to do that soon, but I think it's still to early to do so. Please note that OpenSSL is used as both client and server, and those defaults apply to both of them. If you want to restrict your server to only use TLS 1.2 or higher, I suggest you make it call SSL_CTX_set_min_proto_version() with TLS1_2_VERSION or if using 1.0.2 use SSL_CTX_set_options() wit SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1. |
Proposal to disable old weak ciphers in openssl unless using a legacy branch or builds
RC4, DES 3DES, and CBC cipher suites are all known to have security issues. Why are they still being included in openssl and made available? Would it be possible to split openssl into a "next-gen" branch and also a "legacy" branch? This would help prevent TLS / website operators from using insecure defaults they didn't expect, or settings they just assumed were "secure by default". Eg, could the default be "openssl-ng" unless someone wanted to acquire "openssl-legacy" for backward compatibility reasons? We are discussing this at the h2o web server github. Team has suggested the changes be made in openssl instead of providing secure defaults at the h2o web server project level via a default enforcement or config.
h2o/h2o#1334 (comment)
Thoughts?
The text was updated successfully, but these errors were encountered: