[Ach] [ssllabs-discuss] Minimal recommended cipher suite list, pref. as an interactive SSL Labs page

Aaron Zauner azet at azet.org
Thu Jun 12 14:04:57 CEST 2014 

Hi,

Hubert Kario wrote:
> 
> There's nothing wrong with DSS (when used correctly), current standard
> allows for keys up to 3072 bit in size so they are basically as secure
> as RSA. Also, if you don't have a DSS certificate, presence or absence
> of DSS cipher suites has no impact on the supported cipher suites what
> so ever (I'm assuming we're still talking about sever side).
This is true for the current DSS spec. for example: OpenSSH still does
not support it. I'm unsure of how that's going with Webserver daemons.

>> Another issue is
>> that these cipherstrings work differently on OpenSSL =< 0.9.8 and
>> OpenSSL >= 1.0.0 - all do not include GnuTLS (we do not either). As well
>> as other TLS libraries.
> 
> I assume that you mean the preference of RC4-SHA over AES128-SHA or
> AES256-SHA with 0.9.8?
That's one issue. I was actually talking about the way old OpenSSL
versions parse cipherstrings as compared to how newer versions of
OpenSSL parse these strings. The output can be quite diffrent and may
omit some security by accident, we've just had that problem with our
recommendation (OpenSSL 0.9.8 tree was excluding all ephemeral DH
ciphersuites) and fixed that with a modification that now parses
correctly in 0.9.8 and 1.0.0+. There has been a short discussion
regarding this topic on the openssl-dev mailing list.

I've come to the conclusion that it is extremely difficult to provide
sane and secure cipherstring recommendations even with proper peer
review by security experts; given differences in SSL libraries (most
only talk about OpenSSL), even differences in different versions of the
same library, client and server software and protocol stacks. So far no
project does a really good job at that, none include stuff like Apple
Crypto Framework, SChannel, GnuTLS, PolarSSL, Botan [...].

Because of these issues we've ran into I've recently written a set of
shell scripts to do testing of cipherstring negotiation and preference
for different versions of openssl. I'm still lacking a tool that does
this for all popular TLS libraries and I'm probably not going to write
something like that in the near future.

Hrm,..


Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140612/c2f39b2b/attachment.sig>

More information about the Ach mailing list