[v23.1.x] tls: Prefer faster ciphers and use server preference #11218
Commits on Jun 6, 2023
-
tls: Prefer faster ciphers and use server preference
Makes `tls_config::get_credentials_builder` set gnutls priority strings to chose CPU friendlier ciphers which should help with TLS performance. We were already doing this for the cloud clients (see `build_tls_credentials` in `configuration.cc`) but not in `tls_config::get_credentials_builder` which is used for all API TLS endpoints. This results in chosen ciphers as follows: Before: ``` stephan@rp:~$ nmap -Pn --script ssl-enum-ciphers -p 9092 35.86.175.191 Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 16:39 BST Nmap scan report for ec2-35-86-175-191.us-west-2.compute.amazonaws.com (35.86.175.191) Host is up (0.13s latency). PORT STATE SERVICE 9092/tcp open XmlIpcRegSvc | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_CCM_SHA256 (secp256r1) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | cipher preference: client |_ least strength: A ``` After: ``` stephan@rp:~/build/redpanda$ nmap -Pn --script ssl-enum-ciphers -p 9092 35.86.175.191 Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 17:32 BST Nmap scan report for ec2-35-86-175-191.us-west-2.compute.amazonaws.com (35.86.175.191) Host is up (0.13s latency). PORT STATE SERVICE 9092/tcp open XmlIpcRegSvc | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_AKE_WITH_AES_128_CCM_SHA256 (secp256r1) - A | cipher preference: server |_ least strength: A ``` Two important differences. First, we see that the GCM based ciphers are now at the top in TLS1.2/1.3. GCM is a lot faster than CBC/CCM as shown below in the gnutls bench. Second, we now follow server preference. This means that the server priority list will actually be used by the server to choose which cipher to use and not follow the client priority list. For reference gnutls bench on my local machine: ``` stephan@rp:~/build/redpanda$ vbuild/release/clang/rp_deps_install/bin/gnutls-cli --benchmark-tls-ciphers aes-128-gcm Testing throughput in cipher/MAC combinations (payload: 1400 bytes) AES-128-GCM - TLS1.2 2.62 GB/sec AES-128-GCM - TLS1.3 2.31 GB/sec AES-128-CCM - TLS1.2 0.55 GB/sec AES-128-CCM - TLS1.3 0.54 GB/sec CHACHA20-POLY1305 - TLS1.2 0.39 GB/sec CHACHA20-POLY1305 - TLS1.3 0.39 GB/sec AES-128-CBC - TLS1.0 0.72 GB/sec CAMELLIA-128-CBC - TLS1.0 129.61 MB/sec GOST28147-TC26Z-CNT - TLS1.2 36.25 MB/sec Testing throughput in cipher/MAC combinations (payload: 16384 bytes) AES-128-GCM - TLS1.2 4.45 GB/sec AES-128-GCM - TLS1.3 4.16 GB/sec AES-128-CCM - TLS1.2 0.59 GB/sec AES-128-CCM - TLS1.3 0.59 GB/sec CHACHA20-POLY1305 - TLS1.2 0.43 GB/sec CHACHA20-POLY1305 - TLS1.3 0.43 GB/sec AES-128-CBC - TLS1.0 0.90 GB/sec CAMELLIA-128-CBC - TLS1.0 134.66 MB/sec GOST28147-TC26Z-CNT - TLS1.2 36.76 MB/sec ``` Issue redpanda-data/core-internal#522 (cherry picked from commit f9ed374)
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.