After responding to a question on misc@ (
http://marc.info/?l=openbsd-misc&m=150280482525307&w=2 ), I've noticed
that the part of my response with regard to default-enabled TLS cipher
suites on current was wrong. I was testing with an ECDSA-based instead
of an RSA-based certificate which renders the set of enabled cipher
suites significantly shorter.
In case an RSA-based certificate is used with httpd on current, the
following cipher suites are currently enabled by default:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
I am surprised why the set of default-enabled cipher suites is so large.
According to httpd.conf(5), it maps to "HIGH:!aNULL" which corresponds
to "compat" in libtls's tls_config_set_ciphers(). I then did some more
tests on the available cipher suite keywords/profiles in libtls (the
following discussion is based on tests with an RSA-based certificate).
tls_config_set_ciphers defines the following 4 profiles:
1) secure / default
since RFC 7905 is over a year old now, shouldn't
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 be removed from this set?
2) compat
3) legacy
These two profiles currently only differ by one cipher suite which is
TLS_RSA_WITH_3DES_EDE_CBC_SHA in 'legacy'. However, 'compat' also
contains a 3DES cipher suite which is
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -- I guess this one should not be
classified as "HIGH" and only be listed in 'legacy' (since security
level <128 bits) but not in 'compat'.
It's not clear to me at which point in time CAMELLIA cipher suites have
been added to 'compat' and 'legacy'. There was a previous discussion on
tech@ about adding them to libssl/libtls as an option but not enabling
them by default ( http://marc.info/?l=openbsd-tech&m=147213883819627&w=2
). I don't find a commit which explicitly enabled CAMELLIA cipher suites
by default -- did they accidentally sneak into httpd's default TLS
config due to the use of openssl's ciphers strings?
In case an ECDSA-based certificate is used, the 'compat' profile
implicitly corresponds to ECDHE-only cipher suites (since all
ECDSA-based cipher suites provide forward secrecy). Wouldn't it make
sense to also remove all RSA key transport based cipher suites from
'compat' in the case of RSA-based certificates? In case RSA key
transport cipher suites would remain in 'legacy', this would also
provide better differentiation between these two profiles.
4) insecure / all
Since this profile includes RC4 and DES cipher suites, I guess we all
agree that these should never be used. In case someone actually wants to
enable dangerous stuff in libtls, direct use of openssl's ALL ciphers
string could still be used in order to provide the same damage. Is there
a sufficiently good reason to keep these keywords in libtls at all?
Best regards
Andreas
