[
https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14594073#comment-14594073
]
Susan Hinrichs edited comment on TS-3136 at 6/19/15 11:02 PM:
--------------------------------------------------------------
I spent today running experiments with a variety of cipher_suite strings.
Based on feedback from my previous suggestion and these experiments, my latest
suggested default cipher_suite list is below (which I referred to as the 6/19
list in the comment above).
{code}
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
{code}
I think it is a good trade off of security, performance, availability, and
reliability for a good out-of-the-box experience.
My final experiment involved three boxes in the same pod. One running with the
list above (6/19 list). One running the list suggested yesterday (6/18 list).
One running the 5.x default.
There was a little bit of CPU difference. The experiment ran for 100 wall
clock minutes. The CPU time for each scenario was
|Scenario|CPU Time|
|6/19 list|130 minutes|
|6/18 list|152 minutes|
|5.x default|180 minutes|
The summary of negotiated protocols
|Cipher |% list 6/19| % list 6/18| % 5.x list|
|ECDHE-RSA-AES256-GCM-SHA384 |0.01 |4.79| 0.02|
|ECDHE-ECDSA-AES256-GCM-SHA384 |0 |0 |0|
|ECDHE-RSA-AES256-SHA384 |0 |30.43| 0|
|ECDHE-ECDSA-AES256-SHA384 |0| 0| 0|
|ECDHE-RSA-AES256-SHA |0| 26.92| 0|
|ECDHE-ECDSA-AES256-SHA |0| 0| 0|
|ECDH-RSA-AES256-GCM-SHA384 |0 |0 |0|
|ECDH-ECDSA-AES256-GCM-SHA384 |0 |0 |0|
|ECDH-RSA-AES256-SHA384 |0 |0 |0|
|ECDH-ECDSA-AES256-SHA384 |0 |0 |0|
|ECDH-RSA-AES256-SHA |0 |0 |0|
|ECDH-ECDSA-AES256-SHA |0 |0 |0|
|AES256-GCM-SHA384 |0.32| 0.31| 0|
|AES256-SHA256 |0 |0.16 |0|
|AES256-SHA |0 |5.07| 0|
|ECDHE-RSA-AES128-GCM-SHA256 |35.68 |30.85 |35.77|
|ECDHE-ECDSA-AES128-GCM-SHA256 |0 |0 |0|
|ECDHE-RSA-AES128-SHA256 |0 |0 |31.71|
|ECDHE-ECDSA-AES128-SHA256 |0 |0 |0|
|ECDHE-RSA-AES128-SHA |57.42 |0.15| 8.85|
|ECDHE-ECDSA-AES128-SHA |0 |0 |0|
|ECDHE-RSA-DES-CBC3-SHA |0 |0 |0|
|ECDHE-ECDSA-DES-CBC3-SHA |0 |0 |0|
|ECDH-RSA-AES128-GCM-SHA256 |0 |0 |0|
|ECDH-ECDSA-AES128-GCM-SHA256 |0 |0 |0|
|ECDH-RSA-AES128-SHA256 |0 |0 |0|
|ECDH-ECDSA-AES128-SHA256 |0 |0 |0|
|ECDH-RSA-AES128-SHA |0 |0 |0|
|ECDH-ECDSA-AES128-SHA |0 |0 |0|
|AES128-GCM-SHA256 |0 |0 |0.42|
|AES128-SHA256 |0 |0 |0|
|DES-CBC3-SHA |0.79 |0.79 |0|
|ECDHE-RSA-RC4-SHA |0| 0 |16.65|
|ECDHE-ECDSA-RC4-SHA |0 |0 |0|
|ECDH-RSA-RC4-SHA |0 |0 |0|
|ECDH-ECDSA-RC4-SHA |0 |0 |0|
|RC4-SHA |0 |0 |6.53|
|RC4-MD5 |0 |0 |0|
was (Author: shinrich):
I spent today running experiments with a variety of cipher_suite strings.
Based on feedback from my previous suggestion and these experiments, my latest
suggested default cipher_suite list is below (which I referred to as the 6/19
list in the comment above).
{code}
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
{code}
I think it is a good trade off of security, availability, and reliability for a
good out-of-the-box experience.
My final experiment involved three boxes in the same pod. One running with the
list above (6/19 list). One running the list suggested yesterday (6/18 list).
One running the 5.x default.
There was a little bit of CPU difference. The experiment ran for 100 wall
clock minutes. The CPU time for each scenario was
|Scenario|CPU Time|
|6/19 list|130 minutes|
|6/18 list|152 minutes|
|5.x default|180 minutes|
The summary of negotiated protocols
|Cipher |% list 6/19| % list 6/18| % 5.x list|
|ECDHE-RSA-AES256-GCM-SHA384 |0.01 |4.79| 0.02|
|ECDHE-ECDSA-AES256-GCM-SHA384 |0 |0 |0|
|ECDHE-RSA-AES256-SHA384 |0 |30.43| 0|
|ECDHE-ECDSA-AES256-SHA384 |0| 0| 0|
|ECDHE-RSA-AES256-SHA |0| 26.92| 0|
|ECDHE-ECDSA-AES256-SHA |0| 0| 0|
|ECDH-RSA-AES256-GCM-SHA384 |0 |0 |0|
|ECDH-ECDSA-AES256-GCM-SHA384 |0 |0 |0|
|ECDH-RSA-AES256-SHA384 |0 |0 |0|
|ECDH-ECDSA-AES256-SHA384 |0 |0 |0|
|ECDH-RSA-AES256-SHA |0 |0 |0|
|ECDH-ECDSA-AES256-SHA |0 |0 |0|
|AES256-GCM-SHA384 |0.32| 0.31| 0|
|AES256-SHA256 |0 |0.16 |0|
|AES256-SHA |0 |5.07| 0|
|ECDHE-RSA-AES128-GCM-SHA256 |35.68 |30.85 |35.77|
|ECDHE-ECDSA-AES128-GCM-SHA256 |0 |0 |0|
|ECDHE-RSA-AES128-SHA256 |0 |0 |31.71|
|ECDHE-ECDSA-AES128-SHA256 |0 |0 |0|
|ECDHE-RSA-AES128-SHA |57.42 |0.15| 8.85|
|ECDHE-ECDSA-AES128-SHA |0 |0 |0|
|ECDHE-RSA-DES-CBC3-SHA |0 |0 |0|
|ECDHE-ECDSA-DES-CBC3-SHA |0 |0 |0|
|ECDH-RSA-AES128-GCM-SHA256 |0 |0 |0|
|ECDH-ECDSA-AES128-GCM-SHA256 |0 |0 |0|
|ECDH-RSA-AES128-SHA256 |0 |0 |0|
|ECDH-ECDSA-AES128-SHA256 |0 |0 |0|
|ECDH-RSA-AES128-SHA |0 |0 |0|
|ECDH-ECDSA-AES128-SHA |0 |0 |0|
|AES128-GCM-SHA256 |0 |0 |0.42|
|AES128-SHA256 |0 |0 |0|
|DES-CBC3-SHA |0.79 |0.79 |0|
|ECDHE-RSA-RC4-SHA |0| 0 |16.65|
|ECDHE-ECDSA-RC4-SHA |0 |0 |0|
|ECDH-RSA-RC4-SHA |0 |0 |0|
|ECDH-ECDSA-RC4-SHA |0 |0 |0|
|RC4-SHA |0 |0 |6.53|
|RC4-MD5 |0 |0 |0|
> Change default TLS cipher suites
> --------------------------------
>
> Key: TS-3136
> URL: https://issues.apache.org/jira/browse/TS-3136
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security, SSL
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Labels: compatibility
> Fix For: 6.0.0
>
>
> In TS-3135 [~i.galic] suggested:
> {quote}
> also, recommendations for a safer ciphersuite:
> SSLCipherSuite
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
>
> from https://cipherli.st/
> {quote}
> [~jacksontj] had responded with:
> {quote}
> [~i.galic] That cipher quite is geared towards security, but doesn't support
> quite a few older clients. I'd recommend we use the suite from mozilla
> (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations)
> which is a good mix of security and compatibility:
> {code}
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> {code}
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
