From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] OpenSSL: lower priority for CBC ciphers in default cipherlist
Date: Mon, 10 Jun 2019 18:55:00 +0000
Message-ID: <f658e841-e57b-745d-3fe5-e3210372f7bb@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0012132811501929247=="
List-Id: <development.lists.ipfire.org>

--===============0012132811501929247==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DCHACHA20/P=
OLY1305(256) Mac=3DAEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DAESGCM(256) Mac=
=3DAEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DAESGCM(128) Mac=
=3DAEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCHACHA20=
/POLY1305(256) Mac=3DAEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM(2=
56) Mac=3DAEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM(1=
28) Mac=3DAEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCHACHA20/PO=
LY1305(256) Mac=3DAEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(256)=
 Mac=3DAEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(128)=
 Mac=3DAEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  Ma=
c=3DSHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCamelli=
a(256) Mac=3DSHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCamellia(2=
56) Mac=3DSHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  Ma=
c=3DSHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCamelli=
a(128) Mac=3DSHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCamellia(1=
28) Mac=3DSHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCHACHA20/POLY=
1305(256) Mac=3DAEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(256) M=
ac=3DAEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(128) M=
ac=3DAEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(256=
) Mac=3DSHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(128=
) Mac=3DSHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  Mac=3D=
SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  Mac=3D=
SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
DHE-RSA-AES256-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(256) Mac=
=3DSHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(128) Mac=
=3DSHA1
AES256-GCM-SHA384       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(256) Mac=
=3DAEAD
AES128-GCM-SHA256       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(128) Mac=
=3DAEAD
AES256-SHA256           TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(256) M=
ac=3DSHA256
AES128-SHA256           TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(128) M=
ac=3DSHA256
AES256-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=3DS=
HA1
CAMELLIA256-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(256) Mac=
=3DSHA1
AES128-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=3DS=
HA1
CAMELLIA128-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(128) Mac=
=3DSHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
---
 lfs/openssl                                                       | 2 +-
 ...t-cipherlist.patch =3D> openssl-1.1.1c-default-cipherlist.patch} | 8 ++++=
----
 2 files changed, 5 insertions(+), 5 deletions(-)
 rename src/patches/{openssl-1.1.1a-default-cipherlist.patch =3D> openssl-1.1=
.1c-default-cipherlist.patch} (66%)

diff --git a/lfs/openssl b/lfs/openssl
index 9f9e7a684..47bd4aff0 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1a-default=
-cipherlist.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-default=
-cipherlist.patch
=20
 	# Apply our CFLAGS
 	cd $(DIR_APP) && sed -i Configure \
diff --git a/src/patches/openssl-1.1.1a-default-cipherlist.patch b/src/patche=
s/openssl-1.1.1c-default-cipherlist.patch
similarity index 66%
rename from src/patches/openssl-1.1.1a-default-cipherlist.patch
rename to src/patches/openssl-1.1.1c-default-cipherlist.patch
index dfe156bf5..72f6ce3b1 100644
--- a/src/patches/openssl-1.1.1a-default-cipherlist.patch
+++ b/src/patches/openssl-1.1.1c-default-cipherlist.patch
@@ -1,11 +1,12 @@
---- openssl-1.1.1.orig/include/openssl/ssl.h	2018-09-11 14:48:23.000000000 +=
0200
-+++ openssl-1.1.1/include/openssl/ssl.h	2018-11-05 16:55:03.935513159 +0100
+diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/=
openssl/ssl.h
+--- openssl-1.1.1c.orig/include/openssl/ssl.h	2019-06-10 20:41:21.209140012 =
+0200
++++ openssl-1.1.1c/include/openssl/ssl.h	2019-06-10 20:42:26.733973129 +0200
 @@ -170,11 +170,11 @@
   * an application-defined cipher list string starts with 'DEFAULT'.
   * This applies to ciphersuites for TLSv1.2 and below.
   */
 -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
-+# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+kRS=
A:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM"
++# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+=
SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
  /* This is the default set of TLSv1.3 ciphersuites */
  # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
 -#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
@@ -15,4 +16,3 @@
                                     "TLS_AES_128_GCM_SHA256"
  # else
  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
-
--=20
2.16.4

--===============0012132811501929247==--