[Ach] pls pull, various changes
adi at kriegisch.at
Mon Nov 11 12:32:13 CET 2013
On Sun, Nov 10, 2013 at 07:14:08PM +0100, christian mock wrote:
> I finally found some time to go over the document; apart from a few
> typos, I've changed the postfix section and added "sslscan" to the
> tool list.
> regarding the cipher suites for apache (and others) -- AFAICT you need
> apache 2.4 to support ECDHE (debian stable has 2.2), and maybe you
> don't trust EC. Without ECDHE, *all* versions of IE are excluded,
> which should at least be mentioned in the document, and will probably
> be a no-go in a commercial setting.
nginx provides ECC in Debian/stable for example. The question of ECC or
not is a very important one IMHO.
One may either trust ECC (with the NIST curves) and risk being
brute-forceable through some (unknown) weakness or add a non-ephemeral
cipher like TLS_RSA_WITH_AES_256_CBC_SHA (0x35) or
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) (and adapt your policy to dealing with
shorter certificate lifetime oder more frequent password changes or
Regarding the cipher string you suggested:
You explicitly add DHE-DSS-AES256-SHA, DHE-DSS-CAMELLIA256-SHA and later on
remove them with "!DSS" (which I agree, because they're limited to 1024bit
key size which is against our recommendation). I'd suggest to clean up that
cipher list a little. On Debian/stable this list expands to:
0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2
0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2
0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2
0xC0,0x0A - ECDHE-ECDSA-AES256-SHA SSLv3
0xC0,0x14 - ECDHE-RSA-AES256-SHA SSLv3
0x00,0x39 - DHE-RSA-AES256-SHA SSLv3
0x00,0x88 - DHE-RSA-CAMELLIA256-SHA SSLv3
When removing the DSA ciphers (which need DSA certs), two TLSv1.2 and three
SSLv1/TLS1 ciphers remain.
Is there a special reason why you do not add ECDHE-RSA-AES256-GCM-SHA384 or
DHE-RSA-AES256-GCM-SHA384 for example?
I hope we can have a short discussion about how we will recommend cipher
strings in our paper. As of now, we at least have two different cipher
strings -- one with ECC and one without. Then there might be a
recommendation based on 256 vs. 128bit and probably one on using DSA (or
how to use DSA)...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 827 bytes
Desc: Digital signature
More information about the Ach