New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PFS support #630

Merged
merged 1 commit into from Apr 24, 2014

Conversation

Projects
None yet
2 participants
@MartinNowak
Contributor

MartinNowak commented Apr 21, 2014

  • make DH and ECDH configurable
  • choose defaults
  • select option to NOT reuse secrets

@MartinNowak MartinNowak restored the MartinNowak:pfs branch Apr 21, 2014

PFS support
- make DH and ECDH configurable

- choose defaults

- select option to NOT reuse secrets
@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Apr 24, 2014

Member

Very nice, I'm going to test that in action right now! Not sure what the Travis error is caused by.

/but bah... that OpenSSL API is really one of the worst that I've ever seen. So much that you have to know and do by hand up front to get a secure system. Not even getting started with macro hell and that other stuff...

Member

s-ludwig commented Apr 24, 2014

Very nice, I'm going to test that in action right now! Not sure what the Travis error is caused by.

/but bah... that OpenSSL API is really one of the worst that I've ever seen. So much that you have to know and do by hand up front to get a secure system. Not even getting started with macro hell and that other stuff...

s-ludwig added a commit that referenced this pull request Apr 24, 2014

Merge pull request #630 from MartinNowak/pfs
Implement PFS support for SSLStream.

@s-ludwig s-ludwig merged commit 680e417 into vibe-d:master Apr 24, 2014

1 check failed

continuous-integration/travis-ci The Travis CI build failed
Details
@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Apr 24, 2014

Member

Not sure what the Travis error is caused by.

Okay, was just an old version of the OpenSSL bindings still being picked up.

Member

s-ludwig commented Apr 24, 2014

Not sure what the Travis error is caused by.

Okay, was just an old version of the OpenSSL bindings still being picked up.

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Apr 24, 2014

Member

And after some quirks unrelated to this PR have been resolved (ccf7fe1, 9a6fd1a), I'm now getting TLS 1.2 with PFS enabled and pretty good scores on https://www.ssllabs.com/ssltest/. Great!

The only issues listed there are now:

  • Secure Client-Initiated Renegotiation: Supported DoS DANGER
  • Session resumption (caching): No (IDs assigned but not accepted)
  • BEAST attack: Not mitigated server-side

But PFS is chosen for any browser that supports it:

  • Forward Secrecy: Yes (with most browsers) ROBUST
Member

s-ludwig commented Apr 24, 2014

And after some quirks unrelated to this PR have been resolved (ccf7fe1, 9a6fd1a), I'm now getting TLS 1.2 with PFS enabled and pretty good scores on https://www.ssllabs.com/ssltest/. Great!

The only issues listed there are now:

  • Secure Client-Initiated Renegotiation: Supported DoS DANGER
  • Session resumption (caching): No (IDs assigned but not accepted)
  • BEAST attack: Not mitigated server-side

But PFS is chosen for any browser that supports it:

  • Forward Secrecy: Yes (with most browsers) ROBUST
@MartinNowak

This comment has been minimized.

Show comment
Hide comment
@MartinNowak

MartinNowak Apr 24, 2014

Contributor

We might even choose to only support EECDH and EDH, that is drop support for non-ephemeral diffie-helman, but the server will prefer the ephemeral versions already.

Contributor

MartinNowak commented Apr 24, 2014

We might even choose to only support EECDH and EDH, that is drop support for non-ephemeral diffie-helman, but the server will prefer the ephemeral versions already.

@MartinNowak MartinNowak deleted the MartinNowak:pfs branch Apr 24, 2014

@MartinNowak

This comment has been minimized.

Show comment
Hide comment
@MartinNowak

MartinNowak Apr 24, 2014

Contributor

/but bah... that OpenSSL API is really one of the worst that I've ever seen.

True, but I still have my mid term memory filled from updating the headers in case you have any questions.
update to OpenSSL 1.0.1g by MartinNowak · Pull Request #16 · D-Programming-Deimos/openssl

Contributor

MartinNowak commented Apr 24, 2014

/but bah... that OpenSSL API is really one of the worst that I've ever seen.

True, but I still have my mid term memory filled from updating the headers in case you have any questions.
update to OpenSSL 1.0.1g by MartinNowak · Pull Request #16 · D-Programming-Deimos/openssl

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Apr 24, 2014

Member

Yeah, of all the clients tested on the ssllabs site, no client has chosen a non-ephemeral DH cipher (some older clients had to fall back to non-DH ones), so I guess it should be safe to drop them.

Member

s-ludwig commented Apr 24, 2014

Yeah, of all the clients tested on the ssllabs site, no client has chosen a non-ephemeral DH cipher (some older clients had to fall back to non-DH ones), so I guess it should be safe to drop them.

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Apr 26, 2014

Member

Actually, I've overlooked some:

  • Android 2.3.7 uses DH-RSA-AES128
  • Old BingBot uses DH-RSA-AES256

So it's probably better to just keep the non-ephemeral ones as intermediate fallbacks. But I guess the (E)DH+3DES modes could be removed. Only old clients will use 3DES and those don't support DH at all (most notably IE on Windows XP).

Member

s-ludwig commented Apr 26, 2014

Actually, I've overlooked some:

  • Android 2.3.7 uses DH-RSA-AES128
  • Old BingBot uses DH-RSA-AES256

So it's probably better to just keep the non-ephemeral ones as intermediate fallbacks. But I guess the (E)DH+3DES modes could be removed. Only old clients will use 3DES and those don't support DH at all (most notably IE on Windows XP).

@MartinNowak

This comment has been minimized.

Show comment
Hide comment
@MartinNowak

MartinNowak May 4, 2014

Contributor

So it's probably better to just keep the non-ephemeral ones as intermediate fallbacks. But I guess the (E)DH+3DES modes could be removed. Only old clients will use 3DES and those don't support DH at all (most notably IE on Windows XP).

It probably doesn't matter, as we use the server preferred order. Not sure if exchanging the available ciphers has some sort of overhead though.

Contributor

MartinNowak commented May 4, 2014

So it's probably better to just keep the non-ephemeral ones as intermediate fallbacks. But I guess the (E)DH+3DES modes could be removed. Only old clients will use 3DES and those don't support DH at all (most notably IE on Windows XP).

It probably doesn't matter, as we use the server preferred order. Not sure if exchanging the available ciphers has some sort of overhead though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment