[PATCH] OpenSSL: lower priority for CBC ciphers in default cipherlist

Michael Tremer michael.tremer at ipfire.org
Mon Jun 10 20:18:16 BST 2019


Hi,

Okay, this is for the client side.

Do you intend to do more changes to let’s say the Apache cipher suites?

-Michael

> On 10 Jun 2019, at 19:55, Peter Müller <peter.mueller at ipfire.org> wrote:
> 
> In order to avoid CBC ciphers as often as possible (they contain
> some known vulnerabilities), this changes the OpenSSL default
> ciphersuite to:
> 
> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
> TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
> ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
> ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
> ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
> ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
> DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
> DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
> DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
> DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
> DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
> ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
> ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
> ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
> ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
> DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
> DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
> DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
> DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
> AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
> AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
> AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
> CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
> AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
> CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
> AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
> CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
> AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
> CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
> 
> Since TLS servers usually override the clients' preference with their
> own, this will neither break existing setups nor introduce huge
> differences in the wild. Unfortunately, CBC ciphers cannot be disabled
> at all, as they are still used by popular web sites.
> 
> TLS 1.3 ciphers will be added implicitly and can be omitted in the
> ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
> AES-NI support for the majority of installations reporting to Fireinfo
> (see https://fireinfo.ipfire.org/processors for details, AES-NI support
> is 28.22% at the time of writing).
> 
> Signed-off-by: Peter Müller <peter.mueller at ipfire.org>
> ---
> lfs/openssl                                                       | 2 +-
> ...t-cipherlist.patch => openssl-1.1.1c-default-cipherlist.patch} | 8 ++++----
> 2 files changed, 5 insertions(+), 5 deletions(-)
> rename src/patches/{openssl-1.1.1a-default-cipherlist.patch => openssl-1.1.1c-default-cipherlist.patch} (66%)
> 
> diff --git a/lfs/openssl b/lfs/openssl
> index 9f9e7a684..47bd4aff0 100644
> --- a/lfs/openssl
> +++ b/lfs/openssl
> @@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	@$(PREBUILD)
> 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> -	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1a-default-cipherlist.patch
> +	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-default-cipherlist.patch
> 
> 	# Apply our CFLAGS
> 	cd $(DIR_APP) && sed -i Configure \
> diff --git a/src/patches/openssl-1.1.1a-default-cipherlist.patch b/src/patches/openssl-1.1.1c-default-cipherlist.patch
> similarity index 66%
> rename from src/patches/openssl-1.1.1a-default-cipherlist.patch
> rename to src/patches/openssl-1.1.1c-default-cipherlist.patch
> index dfe156bf5..72f6ce3b1 100644
> --- a/src/patches/openssl-1.1.1a-default-cipherlist.patch
> +++ b/src/patches/openssl-1.1.1c-default-cipherlist.patch
> @@ -1,11 +1,12 @@
> ---- openssl-1.1.1.orig/include/openssl/ssl.h	2018-09-11 14:48:23.000000000 +0200
> -+++ openssl-1.1.1/include/openssl/ssl.h	2018-11-05 16:55:03.935513159 +0100
> +diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/openssl/ssl.h
> +--- openssl-1.1.1c.orig/include/openssl/ssl.h	2019-06-10 20:41:21.209140012 +0200
> ++++ openssl-1.1.1c/include/openssl/ssl.h	2019-06-10 20:42:26.733973129 +0200
> @@ -170,11 +170,11 @@
>   * an application-defined cipher list string starts with 'DEFAULT'.
>   * This applies to ciphersuites for TLSv1.2 and below.
>   */
> -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
> -+# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+kRSA:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM"
> ++# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
>  /* This is the default set of TLSv1.3 ciphersuites */
>  # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
> -#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> @@ -15,4 +16,3 @@
>                                     "TLS_AES_128_GCM_SHA256"
>  # else
>  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> -
> -- 
> 2.16.4



More information about the Development mailing list