Re: ECDSA and RSA: setting preference

Thu, 13 Apr 2017 11:23:45 -0700 

> On Apr 13, 2017, at 1:49 PM, Zbyszek Żółkiewski <t...@onefellow.com> wrote:
> 
> Thanks for the insights, 
> 
> Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH”
> is a default postfix configuration

Yes, I set that default...

> - and i do not change it -  just by adding ECDSA at the beginning, i am 
> changing order of ciphers.

That's a change.

> And you stated that "OpenSSL prefers ECDSA to RSA by default.”

It is true, when all the other factors that go into cipher selection
are equal.  Strong key exchange, ... takes precedence over the
public key (authentication) algorithm preference.

With OpenSSL 1.1.0, the top few ciphers are:

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) 
Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA 
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  
Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD

Note that ECDSA ciphers precede the *otherwise equivalent* RSA ciphers.

> openssl ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:……..

Yes, RSA was preferred in OpenSSL <= 1.0.2.

> that is openssl 1.0.1 (debian 8), openssl in fact mix ECDHE-RSA and 
> ECDHE-ECDSA (i guess order is because that suite is similar in strength, 
> maybe)

Your main security risk is weak key agreement, not weak authentication.
It is unlikely that your CPU overtaxed doing RSA handshakes.  It is
simplest to let the RSA preference of OpenSSL 1.0.x stand.

Getting the cipher order right with ECDSA preferred over RSA for otherwise
equivalent and *sensibly ordered* parameters requires more care than is
worth the effort.

The supported ciphers change with time, and the entire cipher selection
process changes completely with TLS 1.3.

Just let the defaults stand.  Yes, your ECDSA certificate will rarely
be used (actually with "tls_preempt_cipherlist = no", some OpenSSL >= 1.1.0
clients will prefer ECDSA, if they don't prefer aNULL instead).

-- 
        Viktor.

Reply via email to