Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
I wonder if you could just run sslyze (or another TLS scanning tool) on the OR ports of all the relays, and see what ciphersuites they accept. It won't be exactly symmetric - I'm not sure (one can investigate the code though) if those same ciphersuites will be the ones offered in a relay - relay connection. It also may not tell you their ordering preference (but it might! again, you'd have to look at the code.) -tom On 2 August 2015 at 08:17, starlight.201...@binnacle.cx wrote: In the next-above thread I had mistakenly conflated relay handshakes and 'openssl' TLS negotiations, which are it seems entirely independent. Thanks to Yawning for correcting that misconception. TLS encryption protects the relay-to-relay conversation protocol if I understand correctly, while cells are further encrypted with EC curve 25519 for the actual layered/onion encryption. Per ticket https://trac.torproject.org/projects/tor/ticket/15212 relay handshake types are counted and logged in the heartbeat message with the idea that the old v1/v2 handshake support should soon be eliminated soon. Now I wonder why the TLS handshake types are not also counted with the idea that DHE-RSA-AES256-SHA should be eliminated entirely due the near certainty that the NSA can decrypt any such sessions negotiated using the default DH 1024 bit primes, per the LogJam research https://weakdh.org/ I know that 0.2.7 is eliminating 'openssl' 0.9.8 from the picture, but this does not prevent $ openssl s_client -connect addr:port -tls1 -cipher EDH from successfully establishing a connection to relay OR ports with the aforementioned suspect DHE encryption level. Seems to me forcible prevention of this level of TLS session should be nearly as important as moving to the new ed25519 identity keys. In addition to ECDHE vs DHE, it might make sense to count how many SSL 3, TLS 1.0, 1.1 and 1.2 connections are established to be certain SSL 3 is really dead and to see how quickly TLS 1.2 is fully supported everywhere. Perhaps which ECDHE curve is selected should also be tracked. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, I think that is to maintain a backward compatibility. Tor tries as hard as possible to maintain backward compatibility with older versions, unless something critical which requires deprecation regardless some relays will disappear from the consensus. I guess this is the reason we currently prefer ECDHE but do not reject DHE. In the future, when we are certain everyone upgraded to new enough OpenSSL, we can safely reject DHE all the time. On 8/2/2015 6:57 PM, starlight.201...@binnacle.cx wrote: At 08:26 8/2/2015 -0700, you wrote: It also may not tell you their ordering preference (but it might! again, you'd have to look at the code.) That openssl s_client test I ran was against my 0.2.6.10 with openssl 1.0.2 relay. It's certain that ECDHE is preferred over DHE, but my thought is that, especially with 0.2.7 dropping openssl 0.9.8 (no ECDHE), that relays should refuse to accept DHE connections entirely. We've seen many downgrade attacks and who knows for certain if none remain buried in the openssl? Seems prudent to kill-off DHE. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJVvkzcAAoJEIN/pSyBJlsRb+cH/28mx151I91uZT8buZwyAA3q S1HYrNayFkb7jfSTxc11HLF6TBICH85ENlpxvMRdHVB8+rQsL50+4M39+adBSgwx wV49UthoSK8sIjQet5e59STE+8afCa/BWXyfktQmehl4If3VXtWwE79LqKn6pfI3 aQ1iufhhkBDcRzFa0LeOI8S7Ui+WhuJcyczcPlu7A8sl6xu2tFD1v0MIsZaGeZSu wUYiDdMtdVypkf8+NH7ddQPzvUU9pVTfSCj/Fa7z5Jr+tddLGLwiTyx0gR0nFjAm s4O65LO8p6RPz7ExAwKc6a3uY4GTMS9aklEWfmPTfAIkT1k/zvhiV+JbiXeGqJ8= =b48O -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
Of course! This is implicit in my posting. What I am saying is that, like old v1/v2 handshakes, Tor should be moving in the direction of eliminating DHE. The way to approach that is to *count* the number of DHE handshakes and other TLS session attributes. This is currently begin done for TOR/NTOR handshakes but is not for TLS negotiations. 0.2.7 will not build/run with openssl 0.9.8, so once 0.2.7 is widely deployed DHE can be forcibly disabled. BUT, as with v1/v2 handshakes, one would not want to do that prematurely so counting them is a good idea. That suggesting is the principle idea of the thread. At 20:01 8/2/2015 +0300, you wrote: I think that is to maintain a backward compatibility. Tor tries as hard as possible to maintain backward compatibility with older versions, unless something critical which requires deprecation regardless some relays will disappear from the consensus. I guess this is the reason we currently prefer ECDHE but do not reject DHE. In the future, when we are certain everyone upgraded to new enough OpenSSL, we can safely reject DHE all the time. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
At 08:26 8/2/2015 -0700, you wrote: I wonder if you could just run sslyze (or another TLS scanning tool) on the OR ports of all the relays, and see what ciphersuites they accept. The info would be indicative, but it would not reflect client-only Tor, which represents the majority of installations. Is why I think collecting connection statistics a good idea. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
At 08:26 8/2/2015 -0700, you wrote: It also may not tell you their ordering preference (but it might! again, you'd have to look at the code.) That openssl s_client test I ran was against my 0.2.6.10 with openssl 1.0.2 relay. It's certain that ECDHE is preferred over DHE, but my thought is that, especially with 0.2.7 dropping openssl 0.9.8 (no ECDHE), that relays should refuse to accept DHE connections entirely. We've seen many downgrade attacks and who knows for certain if none remain buried in the openssl? Seems prudent to kill-off DHE. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
