[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Tue Nov 3 12:39:53 CET 2015

Hmm..

Gunnar Haslinger wrote:
> The current recommendation for Apache is different to the CipherString-B.
> Probably thats only a mistak (as Aaron Kaplan already answered).
> 
> but even when comparing these two ciphers, none of them prefers AES128
> to AES256:
> 
> 
> https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/Apache/default-ssl
> 
> root at Sec-NS2:~# openssl ciphers -v
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
> 
> DHE-RSA-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) 
>  Mac=AEAD
> DHE-RSA-AES256-SHA256       TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)    
>  Mac=SHA256
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) 
>  Mac=AEAD
> ECDHE-RSA-AES256-SHA384     TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)    
>  Mac=SHA384
> DHE-RSA-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) 
>  Mac=AEAD
> DHE-RSA-AES128-SHA256       TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)    
>  Mac=SHA256
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) 
>  Mac=AEAD
> ECDHE-RSA-AES128-SHA256     TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)    
>  Mac=SHA256
> DHE-RSA-CAMELLIA256-SHA     SSLv3   Kx=DH       Au=RSA 
> Enc=Camellia(256) Mac=SHA1
> DHE-RSA-AES256-SHA          SSLv3   Kx=DH       Au=RSA  Enc=AES(256)    
>  Mac=SHA1
> ECDHE-RSA-AES256-SHA        SSLv3   Kx=ECDH     Au=RSA  Enc=AES(256)    
>  Mac=SHA1
> DHE-RSA-CAMELLIA128-SHA     SSLv3   Kx=DH       Au=RSA 
> Enc=Camellia(128) Mac=SHA1
> DHE-RSA-AES128-SHA          SSLv3   Kx=DH       Au=RSA  Enc=AES(128)    
>  Mac=SHA1
> ECDHE-RSA-AES128-SHA        SSLv3   Kx=ECDH     Au=RSA  Enc=AES(128)    
>  Mac=SHA1
> CAMELLIA256-SHA             SSLv3   Kx=RSA      Au=RSA 
> Enc=Camellia(256) Mac=SHA1
> AES256-SHA                  SSLv3   Kx=RSA      Au=RSA  Enc=AES(256)    
>  Mac=SHA1
> CAMELLIA128-SHA             SSLv3   Kx=RSA      Au=RSA 
> Enc=Camellia(128) Mac=SHA1
> AES128-SHA                  SSLv3   Kx=RSA      Au=RSA  Enc=AES(128)    
>  Mac=SHA1
> 
> 
> https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/common/cipherStringB.tex
> 
> root at Sec-NS2:~# openssl ciphers -v
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
> 
> DHE-RSA-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) 
>  Mac=AEAD
> DHE-RSA-AES256-SHA256       TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)    
>  Mac=SHA256
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) 
>  Mac=AEAD
> ECDHE-RSA-AES256-SHA384     TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)    
>  Mac=SHA384
> DHE-RSA-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) 
>  Mac=AEAD
> DHE-RSA-AES128-SHA256       TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)    
>  Mac=SHA256
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) 
>  Mac=AEAD
> ECDHE-RSA-AES128-SHA256     TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)    
>  Mac=SHA256
> DHE-RSA-CAMELLIA256-SHA     SSLv3   Kx=DH       Au=RSA 
> Enc=Camellia(256) Mac=SHA1
> DHE-RSA-AES256-SHA          SSLv3   Kx=DH       Au=RSA  Enc=AES(256)    
>  Mac=SHA1
> ECDHE-RSA-AES256-SHA        SSLv3   Kx=ECDH     Au=RSA  Enc=AES(256)    
>  Mac=SHA1
> DHE-RSA-CAMELLIA128-SHA     SSLv3   Kx=DH       Au=RSA 
> Enc=Camellia(128) Mac=SHA1
> DHE-RSA-AES128-SHA          SSLv3   Kx=DH       Au=RSA  Enc=AES(128)    
>  Mac=SHA1
> ECDHE-RSA-AES128-SHA        SSLv3   Kx=ECDH     Au=RSA  Enc=AES(128)    
>  Mac=SHA1
> CAMELLIA128-SHA             SSLv3   Kx=RSA      Au=RSA 
> Enc=Camellia(128) Mac=SHA1
> AES128-SHA                  SSLv3   Kx=RSA      Au=RSA  Enc=AES(128)    
>  Mac=SHA1

That's actually not what we wanted (though there's nothing in there
that's a security concern). The problem with these cipherstrings is that
they're interpreted differently depending on the OpenSSL branch and
version. Another problem we have is that we have these cipherstrings
spread out throughout the document and not sourced from a single file
(we do mostly but not everywhere). 1.5 years ago I wrote a set of
scripts to compare the cipherstring results of different OpenSSL
versions, if you're interested: https://github.com/azet/openssl-compare

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151103/884f8436/attachment.sig>