httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject H2 compatible ciphers (was: svn commit: r1708593)
Date Fri, 16 Oct 2015 10:21:00 GMT
On Wed, Oct 14, 2015 at 2:10 PM,  <icing@apache.org> wrote:
> Author: icing
> Date: Wed Oct 14 12:10:11 2015
> New Revision: 1708593
>
> URL: http://svn.apache.org/viewvc?rev=1708593&view=rev
> Log:
> mod_http2: new directive H2Compliance on/off, checking TLS protocol and cipher against
RFC7540
>
[]
>
> Modified: httpd/httpd/trunk/modules/http2/h2_h2.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_h2.c?rev=1708593&r1=1708592&r2=1708593&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/http2/h2_h2.c (original)
> +++ httpd/httpd/trunk/modules/http2/h2_h2.c Wed Oct 14 12:10:11 2015
> @@ -54,6 +54,354 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_is_http
[]
> +/*
> + * Black Listed Ciphers from RFC 7549 Appendix A
> + *
> + */
> +static const char *RFC7540_names[] = {

Wow, that's a pretty long list, and rather disputable IMHO...

[]
> +
> +    /* blacklisted AES128 encrpytion ciphers */
[]
> +    "DHE-RSA-AES128-SHA256",            /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
[]
> +    "ECDHE-ECDSA-AES128-SHA256",        /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
[]
> +    "ECDHE-RSA-AES128-SHA256",          /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
[]
> +    "AES128-GCM-SHA256",                /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
[]
> +
> +    /* blacklisted AES256 encrpytion ciphers */
[]
> +    "DHE-RSA-AES256-SHA256",            /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
[]
> +    "ECDHE-ECDSA-AES256-SHA384",        /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
[]
> +    "ECDHE-RSA-AES256-SHA384",          /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
[]
> +    "AES256-GCM-SHA384",                /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
[]
> +
> +    /* blacklisted CAMELLIA128 encrpytion ciphers */
[]
> +    "ECDHE-ECDSA-CAMELLIA128-SHA256",   /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
*/
[]
> +    "ECDHE-RSA-CAMELLIA128-SHA256",     /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
*/
[]
> +    "CAMELLIA128-GCM-SHA256",           /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
[]
> +    "DHE-RSA-CAMELLIA128-SHA256",       /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
*/
[]
> +
> +    /* blacklisted CAMELLIA256 encrpytion ciphers */
[]
> +    "ECDHE-ECDSA-CAMELLIA256-SHA384",   /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
*/
[]
> +    "ECDHE-RSA-CAMELLIA256-SHA384",     /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
*/
[]
> +    "DHE-RSA-CAMELLIA256-SHA256",       /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
*/
[]
> +    "CAMELLIA256-GCM-SHA384",           /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
[]
> +};

Any idea why those above are blacklisted?
Looks like they decided to blacklist all non-ECDHe or CBC based cipher
suites, that's quite radical!
AFAICT, they are all (still) safe ciphers, maybe CBC ones are
"vulnerable" to timing attacks with SSL/TLS (lucky13 like, which
should have been addressed/countermeasured in most TLS libs though),
and DHE ones have lower performances due to network overhead with
big(ger) RSA keys, but what about RSA+GCM ones (which is still the
reference in AEAD cryptography!) with a reference block cipher (AES,
CAMELLIA, ...)?

And maybe more importantly, what remains currently?

I tried:
$ openssl ciphers -v 'TLSv1.2:!kRSA:!aECDH:!DH'

With openssl-1.0.2, this let us:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA256

Whereas libressl-2.2.1 also adds:
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-CHACHA20-POLY1305

Quite restrictive (even though those are obviously solid ciphers,
maybe IMHO modulo the complicated ECDSA mode which is disputed)...

BTW, if I am correct, maybe the SSLCipherSuite
'TLSv1.2:!kRSA:!aECDH:!DH' could be used/documented to avoid
whitelisting in httpd configurations (missing new/compatible ciphers
added to the TLS libs over time)...

PS: note that the SSLCipherSuite given in
https://icing.github.io/mod_h2/howto.html#https includes some in the
above blacklist.

Mime
View raw message