[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Aaron Zauner azet at azet.org
Tue Nov 3 22:38:15 CET 2015 

* Gunnar Haslinger <gh.bettercrypto at hitco.at> [03/11/2015 20:22:04] wrote:
> Is this true?
> I think the String just works syntactically correct as designed.

Unfortunately, yes. Also confirmed by the OpenSSL core team.

See for example:
https://gist.github.com/azet/02165efbfbe28c9ba04f

> Let's keep in mind the syntax rules, especially the "+" rule which might
> be not very intuitive:
> https://www.openssl.org/docs/manmaster/apps/ciphers.html
> If ! is used then the ciphers are permanently deleted from the list. The
> ciphers deleted can never reappear in the list even if they are
> explicitly stated.
> If - is used then the ciphers are deleted from the list, but some or all
> of the ciphers can be added again by later options.
> If + is used then the ciphers are moved to the end of the list. This
> option doesn't add any new ciphers it just moves matching existing ones.
> 

Again; depending on the actual OpenSSL branch (e.g. 0.9.8 vs 1.0.1)
cipherstrings are parsed and interpreted differently. So finding a
universal solution was one of the reasons I wrote this set of
scripts to compare. This /used/ to work fine, no idea why that's not
the case currently. Hm. Maybe we should update that but a lot of
people still run 0.9.8 which will prefer AES128 over AES256 if you
add +AES128. Really. Interestingly enough - this worked for early
versions of 1.0.1 as well.

I just checked with OpenSSL master (1.1.0-dev). Not really
surprinsing, the cipherstrings is interpreted completely
differently: https://gist.github.com/azet/c5588d1cc9d98ff5f293
  
> So for me I don't can see how Azet's information that AES128 should be
> preferred could be covered by that cipher string.
> 
> Maybe you wanted to use "+AES256" and this was a typo?
> replacing "+AES128" by "+AES256" to push back AES256 and prefer AES128
> you get this list which looks better:

See above. We were actually warned by some of the OpenSSL core-team
members that this might happen due to frequent changes in how
OpenSLS interprets cipherstrings.

> $ openssl ciphers -v
> 'EECDH:EDH:AESGCM:AES:+AES256:SHA:aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!MD5:!PSK:!SRP:!DES!3DES:!ECDSA:!kECDH:!DSS:!CAMELLIA'

FYI: On the upcoming 1.1.0 branch that cipherstring will enable DH-DSS
as well as 8-byte tag CCM mode (which is entirely useless). For
/some/ 0.9.8 versions this cipherstring will yield:

  * ECDH-RSA-RC4-SHA
  * ECDHE-RSA-RC4-SHA
  * tons of DSS ciphersuites

..and for some FIPS certified versions (yes they're actually used):

  * EXP1024-RC4-SHA

I recommend double-checking a cipherstring recommendation against
*all* 0.9.8 and 1.0.1 branches.

Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151103/b2880980/attachment.sig>

More information about the Ach mailing list