From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] httpd: prefer AES-GCM ciphers over AES-CBC Date: Fri, 17 May 2019 20:32:03 +0100 Message-ID: In-Reply-To: <0ff8d464-a3e4-18dc-145c-4ebd0f73881f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6917370205616243063==" List-Id: --===============6917370205616243063== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 15 May 2019, at 18:01, Peter M=C3=BCller wr= ote: >=20 > CBC ciphers are vulnerable to a bunch of attacks (being > rather academic so far) such as MAC-then-encrypt or > padding oracle. >=20 > These seem to be more serious (see > https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodl= e-vulnerabilities > for further readings) which is why they should be used > for interoperability purposes only. >=20 > I plan to remove AES-CBC ciphers for the WebUI at the > end of the year, provided overall security landscape > has not changed until that. Yes, I can get behind this. What do we do about OpenVPN where AES-256-CBC is the default? > This patch changes the WebUI cipherlist to: > TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DCHACHA20= /POLY1305(256) Mac=3DAEAD > TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(256) M= ac=3DAEAD > TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(128) M= ac=3DAEAD > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCHACHA= 20/POLY1305(256) Mac=3DAEAD > ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGCM= (256) Mac=3DAEAD > ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESGCM= (128) Mac=3DAEAD > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCHACHA20/= POLY1305(256) Mac=3DAEAD > ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(25= 6) Mac=3DAEAD > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(12= 8) Mac=3DAEAD > ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(256) = Mac=3DSHA384 > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(128) = Mac=3DSHA256 > ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA384 > ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA256 >=20 > (AES-CBC + ECDSA will be preferred over RSA for performance > reasons. As this cipher order cannot be trivially rebuilt with > OpenSSL cipher stings, it has to be hard-coded.) >=20 > All working clients will stay compatible. >=20 > Signed-off-by: Peter M=C3=BCller > --- > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd= /vhosts.d/ipfire-interface-ssl.conf > index f88a6a52a..0166c4920 100644 > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > @@ -11,7 +11,7 @@ >=20 > SSLEngine on > SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 > - SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS= _AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA3= 84:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128= -SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES= 128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > + SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS= _AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA3= 84:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256= -GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA= -AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > SSLHonorCipherOrder on > SSLCompression off > SSLSessionTickets off > --=20 > 2.16.4 --===============6917370205616243063==--