[OpenWrt-Devel,ustream-ssl,2/2] Revise supported ciphersuites
diff mbox series

Message ID 20190805200748.29474-2-cotequeiroz@gmail.com
State Accepted
Delegated to: Hauke Mehrtens
Headers show
Series
  • Untitled series #123423
Related show

Commit Message

Eneas U de Queiroz Aug. 5, 2019, 8:07 p.m. UTC
CBC ciphersuites have been under scrutiny because of the many padding
oracle vulnerabilities that keep popping up; it seems that we won't be
able to patch up the inherent wakness of MAC-then-encrypt forever.  They
have been blacklisted by HTTP/2, and recently dropped from Mozilla's
Security/Serverside TLS intermediate compatibility list:
https://wiki.mozilla.org/Security/Server_Side_TLS

This commit removes ECDSA-CBC ciphersuites.  Basically, you can choose a
level of ciphersuite security, using the private-key type as a switch:

For RSA keys, CBC and RSA-key exchange ciphers will be enabled--mostly
matching Mozilla's Old backward compatibility list.

If you use an EC private key, then only ephemeral-key, authenticated
ciphers will be used, along the lines of what Mozilla's Intermediate
compatibility list prescribes.

The order does not match Mozilla's list 100% because in most embedded
systems, the server is going to be the least-capable machine.  So,
chacha20-poly1305 is moved ahead of AES, and the cipher preference is
always given to the server.  Also, DHE ciphers are not used for server.

The client list had the order changed to prioritize authenticated
ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
---
If you use the intermediate compatibility list, you lose compatibility
with Safari on iOS<=8 and OS X<=10.10. Windows XP will not work either,
but since it is not compatible with EC keys, it does not change what we
had before.

I don't think we should drop ciphers from client-mode yet; none of the
ciphers are terribly bad from a client perspective, and if we disable
them, we can either get locked out of a service, or be forced to use an
unencrypted connection.

Patch
diff mbox series

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index b7d7629..85bbb1c 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -86,18 +86,25 @@  static int _urandom(void *ctx, unsigned char *out, size_t len)
 	return 0;
 }
 
-#define AES_CIPHERS(v)					\
+#define AES_GCM_CIPHERS(v)				\
 	MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256,	\
-	MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384,	\
+	MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384
+
+#define AES_CBC_CIPHERS(v)				\
 	MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA,		\
 	MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA
 
+#define AES_CIPHERS(v)					\
+	AES_GCM_CIPHERS(v),				\
+	AES_CBC_CIPHERS(v)
+
 static const int default_ciphersuites_server[] =
 {
 	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-	AES_CIPHERS(ECDHE_ECDSA),
+	AES_GCM_CIPHERS(ECDHE_ECDSA),
 	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-	AES_CIPHERS(ECDHE_RSA),
+	AES_GCM_CIPHERS(ECDHE_RSA),
+	AES_CBC_CIPHERS(ECDHE_RSA),
 	AES_CIPHERS(RSA),
 	0
 };
@@ -105,11 +112,14 @@  static const int default_ciphersuites_server[] =
 static const int default_ciphersuites_client[] =
 {
 	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-	AES_CIPHERS(ECDHE_ECDSA),
+	AES_GCM_CIPHERS(ECDHE_ECDSA),
 	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-	AES_CIPHERS(ECDHE_RSA),
+	AES_GCM_CIPHERS(ECDHE_RSA),
 	MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-	AES_CIPHERS(DHE_RSA),
+	AES_GCM_CIPHERS(DHE_RSA),
+	AES_CBC_CIPHERS(ECDHE_ECDSA),
+	AES_CBC_CIPHERS(ECDHE_RSA),
+	AES_CBC_CIPHERS(DHE_RSA),
 	MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 	AES_CIPHERS(RSA),
 	MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 3810d6a..b2df362 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -22,14 +22,16 @@ 
 #include "ustream-ssl.h"
 #include "ustream-internal.h"
 
-
 /* Ciphersuite preference:
- * - key exchange: prefer ECDHE, then DHE(client only), then RSA
- * - prefer AEAD ciphers:
+ * - for server, no weak ciphers are used if you use an ECDSA key.
+ * - forward-secret (pfs), authenticated (AEAD) ciphers are at the top:
  *   	chacha20-poly1305, the fastest in software, 256-bits
  * 	aes128-gcm, 128-bits
  * 	aes256-gcm, 256-bits
- * - CBC ciphers
+ * - key exchange: prefer ECDHE, then DHE (client only)
+ * - forward-secret ECDSA CBC ciphers (client-only)
+ * - forward-secret RSA CBC ciphers
+ * - non-pfs ciphers
  *	aes128, aes256, 3DES(client only)
  */
 
@@ -38,32 +40,38 @@ 
 				"TLS13-CHACHA20-POLY1305-SHA256:"	\
 				"TLS13-AES128-GCM-SHA256:"		\
 				"TLS13-AES256-GCM-SHA384:"		\
-				ecdhe_ciphers
+				ecdhe_aead_ciphers
 #else
 # define tls13_ciphersuites	"TLS_CHACHA20_POLY1305_SHA256:"		\
 				"TLS_AES_128_GCM_SHA256:"		\
 				"TLS_AES_256_GCM_SHA384"
 
 # define top_ciphers							\
-				ecdhe_ciphers
+				ecdhe_aead_ciphers
 #endif
 
-#define ecdhe_ciphers							\
+#define ecdhe_aead_ciphers						\
 				"ECDHE-ECDSA-CHACHA20-POLY1305:"	\
 				"ECDHE-ECDSA-AES128-GCM-SHA256:"	\
 				"ECDHE-ECDSA-AES256-GCM-SHA384:"	\
-				"ECDHE-ECDSA-AES128-SHA:"		\
-				"ECDHE-ECDSA-AES256-SHA:"		\
 				"ECDHE-RSA-CHACHA20-POLY1305:"		\
 				"ECDHE-RSA-AES128-GCM-SHA256:"		\
-				"ECDHE-RSA-AES256-GCM-SHA384:"		\
-				"ECDHE-RSA-AES128-SHA:"			\
-				"ECDHE-RSA-AES256-SHA"
+				"ECDHE-RSA-AES256-GCM-SHA384"
 
-#define dhe_ciphers							\
+#define dhe_aead_ciphers						\
 				"DHE-RSA-CHACHA20-POLY1305:"		\
 				"DHE-RSA-AES128-GCM-SHA256:"		\
-				"DHE-RSA-AES256-GCM-SHA384:"		\
+				"DHE-RSA-AES256-GCM-SHA384"
+
+#define ecdhe_ecdsa_cbc_ciphers						\
+				"ECDHE-ECDSA-AES128-SHA:"		\
+				"ECDHE-ECDSA-AES256-SHA"
+
+#define ecdhe_rsa_cbc_ciphers						\
+				"ECDHE-RSA-AES128-SHA:"			\
+				"ECDHE-RSA-AES256-SHA"
+
+#define dhe_cbc_ciphers							\
 				"DHE-RSA-AES128-SHA:"			\
 				"DHE-RSA-AES256-SHA:"			\
 				"DHE-DES-CBC3-SHA"
@@ -76,11 +84,15 @@ 
 
 #define server_cipher_list						\
 				top_ciphers ":"				\
+				ecdhe_rsa_cbc_ciphers ":"		\
 				non_pfs_aes
 
 #define client_cipher_list						\
 				top_ciphers ":"				\
-				dhe_ciphers ":"				\
+				dhe_aead_ciphers ":"			\
+				ecdhe_ecdsa_cbc_ciphers ":"		\
+				ecdhe_rsa_cbc_ciphers ":"		\
+				dhe_cbc_ciphers ":"			\
 				non_pfs_aes ":"				\
 				"DES-CBC3-SHA"