From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] httpd: prefer AES-GCM ciphers over AES-CBC Date: Wed, 15 May 2019 17:01:00 +0000 Message-ID: <0ff8d464-a3e4-18dc-145c-4ebd0f73881f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0441836941296058867==" List-Id: --===============0441836941296058867== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable CBC ciphers are vulnerable to a bunch of attacks (being rather academic so far) such as MAC-then-encrypt or padding oracle. These seem to be more serious (see https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-= vulnerabilities for further readings) which is why they should be used for interoperability purposes only. I plan to remove AES-CBC ciphers for the WebUI at the end of the year, provided overall security landscape has not changed until that. This patch changes the WebUI cipherlist to: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DCHACHA20/P= OLY1305(256) Mac=3DAEAD TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(256) Mac= =3DAEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(128) Mac= =3DAEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCHACHA20= /POLY1305(256) Mac=3DAEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGCM(2= 56) Mac=3DAEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGCM(1= 28) Mac=3DAEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCHACHA20/PO= LY1305(256) Mac=3DAEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(256)= Mac=3DAEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(128)= Mac=3DAEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(256) Ma= c=3DSHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(128) Ma= c=3DSHA256 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA384 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA256 (AES-CBC + ECDSA will be preferred over RSA for performance reasons. As this cipher order cannot be trivially rebuilt with OpenSSL cipher stings, it has to be hard-coded.) All working clients will stay compatible. Signed-off-by: Peter M=C3=BCller --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/v= hosts.d/ipfire-interface-ssl.conf index f88a6a52a..0166c4920 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -11,7 +11,7 @@ =20 SSLEngine on SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_A= ES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384= :ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-S= HA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES12= 8-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 + SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_A= ES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384= :ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-G= CM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-A= ES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off --=20 2.16.4 --===============0441836941296058867==--