From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] OpenSSL: lower priority for CBC ciphers in default cipherlist Date: Mon, 10 Jun 2019 20:18:16 +0100 Message-ID: <00CB5748-463D-4828-AC5E-AC5083BC6E68@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1918886615100707266==" List-Id: --===============1918886615100707266== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Okay, this is for the client side. Do you intend to do more changes to let=E2=80=99s say the Apache cipher suite= s? -Michael > On 10 Jun 2019, at 19:55, Peter M=C3=BCller wr= ote: >=20 > In order to avoid CBC ciphers as often as possible (they contain > some known vulnerabilities), this changes the OpenSSL default > ciphersuite to: >=20 > TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DCHACHA20= /POLY1305(256) Mac=3DAEAD > TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(256) M= ac=3DAEAD > TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(128) M= ac=3DAEAD > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCHACHA= 20/POLY1305(256) Mac=3DAEAD > ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGCM= (256) Mac=3DAEAD > ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGCM= (128) Mac=3DAEAD > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCHACHA20/= POLY1305(256) Mac=3DAEAD > ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(25= 6) Mac=3DAEAD > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(12= 8) Mac=3DAEAD > ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(256) = Mac=3DSHA384 > ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCamel= lia(256) Mac=3DSHA384 > ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA384 > ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCamellia= (256) Mac=3DSHA384 > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(128) = Mac=3DSHA256 > ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCamel= lia(128) Mac=3DSHA256 > ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA256 > ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCamellia= (128) Mac=3DSHA256 > DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCHACHA20/PO= LY1305(256) Mac=3DAEAD > DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(256)= Mac=3DAEAD > DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(128)= Mac=3DAEAD > DHE-RSA-AES256-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA256 > DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCamellia(2= 56) Mac=3DSHA256 > DHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA256 > DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCamellia(1= 28) Mac=3DSHA256 > ECDHE-ECDSA-AES256-SHA TLSv1 Kx=3DECDH Au=3DECDSA Enc=3DAES(256) Mac= =3DSHA1 > ECDHE-ECDSA-AES128-SHA TLSv1 Kx=3DECDH Au=3DECDSA Enc=3DAES(128) Mac= =3DSHA1 > ECDHE-RSA-AES256-SHA TLSv1 Kx=3DECDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 > ECDHE-RSA-AES128-SHA TLSv1 Kx=3DECDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 > DHE-RSA-AES256-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 > DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DCamellia(256) M= ac=3DSHA1 > DHE-RSA-AES128-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 > DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DCamellia(128) M= ac=3DSHA1 > AES256-GCM-SHA384 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESGCM(256) M= ac=3DAEAD > AES128-GCM-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESGCM(128) M= ac=3DAEAD > AES256-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAES(256) Mac= =3DSHA256 > CAMELLIA256-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DCamellia(256)= Mac=3DSHA256 > AES128-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAES(128) Mac= =3DSHA256 > CAMELLIA128-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DCamellia(128)= Mac=3DSHA256 > AES256-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 > CAMELLIA256-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DCamellia(256) M= ac=3DSHA1 > AES128-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 > CAMELLIA128-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DCamellia(128) M= ac=3DSHA1 >=20 > Since TLS servers usually override the clients' preference with their > own, this will neither break existing setups nor introduce huge > differences in the wild. Unfortunately, CBC ciphers cannot be disabled > at all, as they are still used by popular web sites. >=20 > TLS 1.3 ciphers will be added implicitly and can be omitted in the > ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing > AES-NI support for the majority of installations reporting to Fireinfo > (see https://fireinfo.ipfire.org/processors for details, AES-NI support > is 28.22% at the time of writing). >=20 > Signed-off-by: Peter M=C3=BCller > --- > lfs/openssl | 2 +- > ...t-cipherlist.patch =3D> openssl-1.1.1c-default-cipherlist.patch} | 8 +++= +---- > 2 files changed, 5 insertions(+), 5 deletions(-) > rename src/patches/{openssl-1.1.1a-default-cipherlist.patch =3D> openssl-1.= 1.1c-default-cipherlist.patch} (66%) >=20 > diff --git a/lfs/openssl b/lfs/openssl > index 9f9e7a684..47bd4aff0 100644 > --- a/lfs/openssl > +++ b/lfs/openssl > @@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) : > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1a-defau= lt-cipherlist.patch > + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-defau= lt-cipherlist.patch >=20 > # Apply our CFLAGS > cd $(DIR_APP) && sed -i Configure \ > diff --git a/src/patches/openssl-1.1.1a-default-cipherlist.patch b/src/patc= hes/openssl-1.1.1c-default-cipherlist.patch > similarity index 66% > rename from src/patches/openssl-1.1.1a-default-cipherlist.patch > rename to src/patches/openssl-1.1.1c-default-cipherlist.patch > index dfe156bf5..72f6ce3b1 100644 > --- a/src/patches/openssl-1.1.1a-default-cipherlist.patch > +++ b/src/patches/openssl-1.1.1c-default-cipherlist.patch > @@ -1,11 +1,12 @@ > ---- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000= +0200 > -+++ openssl-1.1.1/include/openssl/ssl.h 2018-11-05 16:55:03.935513159 +0100 > +diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/includ= e/openssl/ssl.h > +--- openssl-1.1.1c.orig/include/openssl/ssl.h 2019-06-10 20:41:21.20914001= 2 +0200 > ++++ openssl-1.1.1c/include/openssl/ssl.h 2019-06-10 20:42:26.733973129 +02= 00 > @@ -170,11 +170,11 @@ > * an application-defined cipher list string starts with 'DEFAULT'. > * This applies to ciphersuites for TLSv1.2 and below. > */ > -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" > -+# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+k= RSA:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM" > ++# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH= :+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS" > /* This is the default set of TLSv1.3 ciphersuites */ > # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) > -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ > @@ -15,4 +16,3 @@ > "TLS_AES_128_GCM_SHA256" > # else > # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ > - > --=20 > 2.16.4 --===============1918886615100707266==--