[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Adi Kriegisch adi at kriegisch.at
Sun Nov 8 12:15:20 CET 2015


Hi!

> >> $ openssl ciphers -v
> >> '-ALL:ECDH+aRSA+AES:DH+aRSA+AES:aRSA+kRSA+AES:+AES256' | cut -f1 -d" "
> >> ECDHE-RSA-AES128-GCM-SHA256
> >> ECDHE-RSA-AES128-SHA256
> >> ECDHE-RSA-AES128-SHA
> >> DHE-RSA-AES128-GCM-SHA256
> >> DHE-RSA-AES128-SHA256
> >> DHE-RSA-AES128-SHA
> >> AES128-GCM-SHA256
> >> AES128-SHA256
> >> AES128-SHA
> ---
> >> ECDHE-RSA-AES256-GCM-SHA384
> >> ECDHE-RSA-AES256-SHA384
> >> ECDHE-RSA-AES256-SHA
> >> DHE-RSA-AES256-GCM-SHA384
> >> DHE-RSA-AES256-SHA256
> >> DHE-RSA-AES256-SHA
> >> AES256-GCM-SHA384
> >> AES256-SHA256
> >> AES256-SHA
> > You do notice that you prefer non-ephemeral ciphers over ephemeral ones
> > here, right? As the fallback cipher you only ever need AES256-SHA and
> > nothing else to support legacy-old-really-old-legacy versions of openssl
> > at the very end of the cipher string.
> 
> No, i don't like to prefer non-ephermeral Ciphers and I think this is
> not configured - let me explain:
> The choice which Cipher is picked is configured to be done by the Server.
Ok, the whole idea about letting the server choose the cipher is that the
choice is done once -- with the help of an appropriate cipher string -- on
the server side and enhances security for a plethora of clients. If you
decide to prefer AES128 over AES256 to let the client chose you are doing
it wrong:
1. You, in your role as a server admin, choose the level of security for
   your site and the level of secrecy of the content of your site.
2. Let the server choose to let the client choose sounds a little confused.

If you decide not to use AES256 or to prefer ECDHE this is fine for me,
just go ahead and deploy your own cipher string.

Supporting non-ephemeral ciphers is only ever required on certain versions
of openssl 0.9.8 that do not have any other cipher overlap. So you only
ever need AES256-SHA and nothing else. I am not even sure if we could
completely remove this cipher from the string since we deprecated SSLv3 and
WinXP, but I think some older versions of Apple Mail still require that
cipher to work.
In other words: you need not provide AES*GCM-SHA2 and AES*SHA2.

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151108/de462d31/attachment.sig>


More information about the Ach mailing list