-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prefer GCM ciphers over CBC #1660
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -141,14 +141,37 @@ automatically set as a listener for the [secureConnection][] event. The | |
- `ciphers`: A string describing the ciphers to use or exclude, seperated by | ||
`:`. The default cipher suite is: | ||
|
||
ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256: | ||
DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256: | ||
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA | ||
|
||
The default cipher suite prefers ECDHE and DHE ciphers for Perfect Forward | ||
secrecy, while offering *some* backward compatibiltity. Old clients which | ||
rely on insecure and deprecated RC4 or DES-based ciphers (like Internet | ||
Explorer 6) aren't able to complete the handshake with the default | ||
ECDHE-RSA-AES128-GCM-SHA256: | ||
ECDHE-ECDSA-AES128-GCM-SHA256: | ||
ECDHE-RSA-AES256-GCM-SHA384: | ||
ECDHE-ECDSA-AES256-GCM-SHA384: | ||
DHE-RSA-AES128-GCM-SHA256: | ||
ECDHE-RSA-AES128-SHA256: | ||
DHE-RSA-AES128-SHA256: | ||
ECDHE-RSA-AES256-SHA384: | ||
DHE-RSA-AES256-SHA384: | ||
ECDHE-RSA-AES256-SHA256: | ||
DHE-RSA-AES256-SHA256: | ||
HIGH: | ||
!aNULL: | ||
!eNULL: | ||
!EXPORT: | ||
!DES: | ||
!RC4: | ||
!MD5: | ||
!PSK: | ||
!SRP: | ||
!CAMELLIA | ||
|
||
The default cipher suite prefers GCM ciphers for [Chrome's 'modern | ||
cryptography' setting] and also prefers ECDHE and DHE ciphers for Perfect | ||
Forward secrecy, while offering *some* backward compatibiltity. | ||
|
||
128 bit AES is preferred over 192 and 256 bit AES in light of [specific | ||
attacks affecting larger AES key sizes]. | ||
|
||
Old clients that rely on insecure and deprecated RC4 or DES-based ciphers | ||
(like Internet Explorer 6) aren't able to complete the handshake with the default | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Wrap those long lines at 80 chars, even if it means moving that link to a new line :) |
||
configuration. If you absolutely must support these clients, the | ||
[TLS recommendations] may offer a compatible cipher suite. For more details | ||
on the format, see the [OpenSSL cipher list format documentation]. | ||
|
@@ -784,6 +807,8 @@ The string representation of the local IP address. | |
The numeric representation of the local port. | ||
|
||
[OpenSSL cipher list format documentation]: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT | ||
[Chrome's 'modern cryptography' setting]: http://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome | ||
[specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html | ||
[BEAST attacks]: http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html | ||
[tls.createServer]: #tls_tls_createserver_options_secureconnectionlistener | ||
[tls.createSecurePair]: #tls_tls_createsecurepair_context_isserver_requestcert_rejectunauthorized | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -15,12 +15,17 @@ exports.CLIENT_RENEG_WINDOW = 600; | |
exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024; | ||
|
||
exports.DEFAULT_CIPHERS = [ | ||
'ECDHE-RSA-AES128-GCM-SHA256', | ||
'ECDHE-ECDSA-AES128-GCM-SHA256', | ||
'ECDHE-RSA-AES256-GCM-SHA384', | ||
'ECDHE-ECDSA-AES256-GCM-SHA384', | ||
'DHE-RSA-AES128-GCM-SHA256', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The ordering doesn't look right to me. It should be strongest to weakest. I think something like this could do: 'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-GCM-SHA256',
'DHE-RSA-AES128-GCM-SHA256', There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah that's another bit of Mozilla logic. I'll quote them, tell me your thoughts...
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. IIRC there are actually some attacks that affect 256 bit AES but not 128 bit. Let me find a reference. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm, I'd probably trust Mozilla engineers to make the right choice here, as I never perfed ciphers. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For what it's worth Schneier: 'And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change. ' https://www.schneier.com/blog/archives/2009/07/another_new_aes.html There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My own thoughts: either way we should be consistent. The subsequent ciphers are bit length first. If we do re-order to avoid the AES256 related key attacks we should do that consistently, and re-order the old ones as well as the new ones. Maybe that's for another PR? |
||
'ECDHE-RSA-AES128-SHA256', | ||
'DHE-RSA-AES128-SHA256', | ||
'ECDHE-RSA-AES256-SHA384', | ||
'DHE-RSA-AES256-SHA384', | ||
'ECDHE-RSA-AES256-SHA256', | ||
'DHE-RSA-AES256-SHA256', | ||
'ECDHE-RSA-AES128-SHA256', | ||
'DHE-RSA-AES128-SHA256', | ||
'HIGH', | ||
'!aNULL', | ||
'!eNULL', | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would probably write just
prefers GCM ciphers
. Also, do splitted links like this still work?