Talk:Security/Server Side TLS

From MozillaWiki
Revision as of 12:57, 15 December 2013 by Kroeckx (talk | contribs) (→‎RC4)
Jump to navigation Jump to search

Sources: https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/

RC4

Full discussion: https://bugzilla.mozilla.org/show_bug.cgi?id=927045

RC4-based ciphers ought to be completely removed from the list, better attacks are coming like this one: https://www.usenix.org/conference/usenixsecurity13/security-rc4-tls'

The reason to keep RC4 or 3DES is to support windows XP. Maybe 3DES should be kept instead since it it's still considered secure but slow.

Page protection

This wiki page is protected against changes. Changes must be discussed in this section beforehand. If you have any comments, please leave them here.

Prioritzation logic and ciphersuite recommendation

The Prioritization logic says to prioritize 128 bit AES over 256 bit, but recommended ciphersuite has DHE-RSA-AES256* prioritized over DHE-RSA-AES128*. Breaking rule #3. Lots of non-forward-secret ciphers are prioritized over DHE-RSA-AES128*, breaking rule #2.

I think the recommended ciphersuite should be fixed to reflect the rules in the priorization logic. Maybe change the recommended cipher suite to the following?


ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

or for people lacking trust in ECC/NIST curves:

DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

answer from ulfr, 20131202

That's a good catch! Thanks for reporting it. I had missed a couple of aes256 above aes128 in the density of the ciphersuite. I updated the page, see the diff at https://wiki.mozilla.org/index.php?title=Security%2FServer_Side_TLS&diff=779260&oldid=768649

However, I am confused by your comment that "Lots of non-forward-secret ciphers are prioritized over DHE-RSA-AES128*, breaking rule #2.". Even before the latest change, only PFS ciphers where listed above DHE-RSA-AES128. Did you mean something different?

Reply to ulfr, 20131209 -- janfrode

> However, I am confused by your comment that "Lots of non-forward-secret ciphers are prioritized over DHE-RSA-AES128*, breaking rule #2.". Even before the latest change, only PFS ciphers where listed above DHE-RSA-AES128. Did you mean something different?

Not sure what I did previously. I now see DHE-RSA-AES128* before all non-PFS ciphers. On RHEL6.5/apache-2.2.15 With the currently suggested cipher suites, I got the following order:


prio  ciphersuite                protocols                    pfs_keysize
1     DHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2
2     DHE-RSA-AES256-GCM-SHA384  SSLv3,TLSv1,TLSv1.1,TLSv1.2
3     DHE-RSA-AES128-SHA256      SSLv3,TLSv1,TLSv1.1,TLSv1.2
4     DHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2
5     DHE-RSA-AES256-SHA256      SSLv3,TLSv1,TLSv1.1,TLSv1.2
6     DHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2
7     AES128-GCM-SHA256          SSLv3,TLSv1,TLSv1.1,TLSv1.2
8     AES256-GCM-SHA384          SSLv3,TLSv1,TLSv1.1,TLSv1.2
9     AES128-SHA256              SSLv3,TLSv1,TLSv1.1,TLSv1.2
10    AES128-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
11    AES256-SHA256              SSLv3,TLSv1,TLSv1.1,TLSv1.2
12    AES256-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
13    RC4-SHA                    SSLv3,TLSv1,TLSv1.1,TLSv1.2
14    DHE-RSA-CAMELLIA256-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2
15    CAMELLIA256-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2
16    DHE-RSA-CAMELLIA128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2
17    CAMELLIA128-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2

This still prefers 256 bit DHE-RSA-AES256-GCM-SHA384 over various 128 bit ciphers. And the DHE-RSA-CAMELLIA* suites should probably be moved above the non-PFS.

And did you really mean to introduce the DHE-DSS-suites in the new list? The qualys ssl servertest says these can't be used for PFS because they're effectivly limited to 1024 bit DSS key.