[Ach] Cipher List Notes
Alice Wonder
alice at librelamp.com
Sat Nov 12 03:32:03 CET 2016
Hello List,
Really enjoyed reading the "Applied Crypto Hardening" guide.
The only major difference between my practices and that guide are with
Section 3.2.3 with "Recommended Cipher Suites"
Like your guide, I too have a "Strong, fewer clients" configuration and
a "Weaker but better compatibility" configuration. I'm sure I am not the
only one with a point of view on this.
I would like to share what I do and the real world results, and get
feedback.
For my SSLCipherSuite it should be noted that I am using LibreSSL so
excluding SSLv2 and SSLv3 are not necessary.
The only cipher suites I bother with are chacha20 and AES families.
ChaCha20 is kinder to Android users and AES has hardware acceleration on
many platforms. I found I do not need any others.
-=- Strong, fewer clients
In your Configuration A you limit it to AES256, I do not know your
rationale for excluding AES128 from the Configuration A list but if I
can only jump 10 feet, a 50 foot moat is just as effective as a 100 foot
moat. For me to cross the moat requires a different approach than jumping.
For my equivalent of your Configuration A list, on servers where
sensitive information is transferred to and from the server, I do limit
it to TLS 1.2 and I also only use ECDSA certificates, I haven't yet come
across a user with a client that can do TLS 1.2 that doesn't handle
ECDSA. With a ECDSA certificate I use the following:
SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384
EECDH+AES+SHA256"
That provides the following ciphers with LibreSSL 2.4.4:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) FS 256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14) FS 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) FS 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) FS 128
With SSL Labs, only the following browsers are reported as not working:
Android < 4.4.2
Baidu Jan 2015
XP Browsers
IE < 11
Java < 8u31
OpenSSL 0.9.8y
Safari < 7
Many of those are deprecated by the vendor and all of them (except maybe
Baidu) have newer versions that do work. Outdated browsers are not
secure enough for sensitive data anyway, so for sensitive data servers,
I don't have to support them.
-=- Weaker but better compatibility
Your Configuration B list does allow AES128 but also allows the Camellia
ciphers. I do not allow the Camellia ciphers because honestly I do not
see the benefit, offering them just ads another attack surface if there
is a zero day found in that family, it seems equivalent to AES to me but
AES has the advantage of AES-NI support in a lot of hardware. And
allegedly Camellia has some patent issues.
With my equivalent of your Configuration B I use RSA 2048 and just add a
couple AES options so it will work with more clients:
SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384
EECDH+AES+SHA256 EECDH+AES EDH+AES256"
That provides the following ciphers with LibreSSL 2.4.4:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) FS 256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13) FS 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
With that configuration, TLS 1.0 support is added and the only ssllabs
listed excluded clients are:
Android 2.3.7
IE 6/XP
IE 8/XP
Java 6u45
None of those clients should be used, and they do not work with SNI
anyway which is required for many of my sites (I tend to configure an
empty virtual host as first virtual host)
------------------------------------
Thoughts / Comments ??
More information about the Ach
mailing list