[Ach] pls pull, various changes

Adi Kriegisch adi at kriegisch.at
Mon Nov 11 12:32:13 CET 2013 

Hi!

On Sun, Nov 10, 2013 at 07:14:08PM +0100, christian mock wrote:
> I finally found some time to go over the document; apart from a few
> typos, I've changed the postfix section and added "sslscan" to the
> tool list.
Great!
 
> regarding the cipher suites for apache (and others) -- AFAICT you need
> apache 2.4 to support ECDHE (debian stable has 2.2), and maybe you
> don't trust EC. Without ECDHE, *all* versions of IE are excluded,
> which should at least be mentioned in the document, and will probably
> be a no-go in a commercial setting.
nginx provides ECC in Debian/stable for example. The question of ECC or
not is a very important one IMHO.
One may either trust ECC (with the NIST curves) and risk being
brute-forceable through some (unknown) weakness or add a non-ephemeral
cipher like TLS_RSA_WITH_AES_256_CBC_SHA (0x35) or
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) (and adapt your policy to dealing with
shorter certificate lifetime oder more frequent password changes or
whatever).

Regarding the cipher string you suggested:

  tls_high_cipherlist=DHE+AESGCM:ECDHE-ECDSA-AES256-SHA384:\
    ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
    ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:\
    DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:\
    !MD5:!DSS
You explicitly add DHE-DSS-AES256-SHA, DHE-DSS-CAMELLIA256-SHA and later on
remove them with "!DSS" (which I agree, because they're limited to 1024bit
key size which is against our recommendation). I'd suggest to clean up that
cipher list a little. On Debian/stable this list expands to:
          0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2
          0xC0,0x28 - ECDHE-RSA-AES256-SHA384   TLSv1.2
          0x00,0x6B - DHE-RSA-AES256-SHA256     TLSv1.2
          0xC0,0x0A - ECDHE-ECDSA-AES256-SHA    SSLv3
          0xC0,0x14 - ECDHE-RSA-AES256-SHA      SSLv3
          0x00,0x39 - DHE-RSA-AES256-SHA        SSLv3
          0x00,0x88 - DHE-RSA-CAMELLIA256-SHA   SSLv3

When removing the DSA ciphers (which need DSA certs), two TLSv1.2 and three
SSLv1/TLS1 ciphers remain.
Is there a special reason why you do not add ECDHE-RSA-AES256-GCM-SHA384 or
DHE-RSA-AES256-GCM-SHA384 for example?

I hope we can have a short discussion about how we will recommend cipher
strings in our paper. As of now, we at least have two different cipher
strings -- one with ECC and one without. Then there might be a
recommendation based on 256 vs. 128bit and probably one on using DSA (or
how to use DSA)...

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20131111/f23a06b1/attachment.sig>

More information about the Ach mailing list