[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Gunnar Haslinger gh.bettercrypto at hitco.at
Sat Nov 7 20:40:34 CET 2015 

To continue the CipherString-B Discussion:

I try to sum up some thoughts:
1) The Ciphers in current CipherString-B are sane but not ideally sorted
on all Versions of OpenSSL.
2) Camellia could be considered to be removed.
3) Performance: ECDHE could be prefered over DHE
4) Performance: AES128 could be prefered over AES256
5) deactivating Ciphers one by one in OpenSSL gives not predictable
results in newer versions as newer ciphers will be added

so I tried to do it the other way round:
1. Disable all Ciphers
2. Add the Ciphers which are sane
3. Do the Sorting

My result is:
-ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256

To explain:
1) -ALL ... removes all Ciphers, now the List should be REALLY empty on
all OpenSSL Versions

2) ECDH+aRSA adds the sane ECDHE modes only:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA

3) DH+aRSA+AES adds the sane DHE modes only:
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA

3) aRSA+kRSA+AES adds some sane none-PFS Modes for compatibility:
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA

4) and the "+AES256" pushes back AES256 to prefer AES128, which
obviously doesn't work on all older Versions but on current Versions.

the Result is:
$ openssl ciphers -v
'-ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256' | cut -f1 -d" "
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA

Default configured Clients should always connect ECDH-AES128, when not
Supporting ECDH they will fall back to DHE-AES128, if a clients doesn't
support PFS Ciphers there is still a possibility to connect by the
AES+RSA Ciphers.  Only if a client disabled AES128 it will use the
stronger AES256 Suites.

What do you think? Would this cipher-String even lead to other results
on older / newer Versions of OpenSSL? I think the problem should be
reduced significantly because of Disabling all with "-ALL". The
AES-Order is well defined. Of course the GCM/AES Order and the
SHA-Orders could be mixed up in an other order using other OpenSSL Versions.

I tested it on
OpenSSL 1.0.1k 8 Jan 2015 on Debian 8.2
OpenSSL 1.0.1e-fips 11 Feb 2013 on CentOS 7.1
OpenSSL 1.0.1e-fips 11 Feb 2013 on CentOS 6.7

and for old Version compatibility:
OpenSSL 0.9.8o 01 Jun 2010 on Debian 6, which has no ECDHE and
SHA2-Support, so this string works but leads to this short list of
"Last-Hope" Ciphers:
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA

More information about the Ach mailing list