From e8f9c22d02fccde1d992f324280fb9966d3b4be6 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Mon, 5 Aug 2019 17:07:48 -0300 Subject: [PATCH] Revise supported ciphersuites CBC ciphersuites have been under scrutiny because of the many padding oracle vulnerabilities that keep popping up; it seems that we won't be able to patch up the inherent wakness of MAC-then-encrypt forever. They have been blacklisted by HTTP/2, and recently dropped from Mozilla's Security/Serverside TLS intermediate compatibility list: https://wiki.mozilla.org/Security/Server_Side_TLS This commit removes ECDSA-CBC ciphersuites. Basically, you can choose a level of ciphersuite security, using the private-key type as a switch: For RSA keys, CBC and RSA-key exchange ciphers will be enabled--mostly matching Mozilla's Old backward compatibility list. If you use an EC private key, then only ephemeral-key, authenticated ciphers will be used, along the lines of what Mozilla's Intermediate compatibility list prescribes. The order does not match Mozilla's list 100% because in most embedded systems, the server is going to be the least-capable machine. So, chacha20-poly1305 is moved ahead of AES, and the cipher preference is always given to the server. Also, DHE ciphers are not used for server. The client list had the order changed to prioritize authenticated ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC. Signed-off-by: Eneas U de Queiroz --- ustream-mbedtls.c | 24 +++++++++++++++++------- ustream-openssl.c | 42 +++++++++++++++++++++++++++--------------- 2 files changed, 44 insertions(+), 22 deletions(-) diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index b7d7629..85bbb1c 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -86,18 +86,25 @@ static int _urandom(void *ctx, unsigned char *out, size_t len) return 0; } -#define AES_CIPHERS(v) \ +#define AES_GCM_CIPHERS(v) \ MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256, \ - MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384, \ + MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384 + +#define AES_CBC_CIPHERS(v) \ MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA, \ MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA +#define AES_CIPHERS(v) \ + AES_GCM_CIPHERS(v), \ + AES_CBC_CIPHERS(v) + static const int default_ciphersuites_server[] = { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - AES_CIPHERS(ECDHE_ECDSA), + AES_GCM_CIPHERS(ECDHE_ECDSA), MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - AES_CIPHERS(ECDHE_RSA), + AES_GCM_CIPHERS(ECDHE_RSA), + AES_CBC_CIPHERS(ECDHE_RSA), AES_CIPHERS(RSA), 0 }; @@ -105,11 +112,14 @@ static const int default_ciphersuites_server[] = static const int default_ciphersuites_client[] = { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - AES_CIPHERS(ECDHE_ECDSA), + AES_GCM_CIPHERS(ECDHE_ECDSA), MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - AES_CIPHERS(ECDHE_RSA), + AES_GCM_CIPHERS(ECDHE_RSA), MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - AES_CIPHERS(DHE_RSA), + AES_GCM_CIPHERS(DHE_RSA), + AES_CBC_CIPHERS(ECDHE_ECDSA), + AES_CBC_CIPHERS(ECDHE_RSA), + AES_CBC_CIPHERS(DHE_RSA), MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, AES_CIPHERS(RSA), MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, diff --git a/ustream-openssl.c b/ustream-openssl.c index 3810d6a..b2df362 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -22,14 +22,16 @@ #include "ustream-ssl.h" #include "ustream-internal.h" - /* Ciphersuite preference: - * - key exchange: prefer ECDHE, then DHE(client only), then RSA - * - prefer AEAD ciphers: + * - for server, no weak ciphers are used if you use an ECDSA key. + * - forward-secret (pfs), authenticated (AEAD) ciphers are at the top: * chacha20-poly1305, the fastest in software, 256-bits * aes128-gcm, 128-bits * aes256-gcm, 256-bits - * - CBC ciphers + * - key exchange: prefer ECDHE, then DHE (client only) + * - forward-secret ECDSA CBC ciphers (client-only) + * - forward-secret RSA CBC ciphers + * - non-pfs ciphers * aes128, aes256, 3DES(client only) */ @@ -38,32 +40,38 @@ "TLS13-CHACHA20-POLY1305-SHA256:" \ "TLS13-AES128-GCM-SHA256:" \ "TLS13-AES256-GCM-SHA384:" \ - ecdhe_ciphers + ecdhe_aead_ciphers #else # define tls13_ciphersuites "TLS_CHACHA20_POLY1305_SHA256:" \ "TLS_AES_128_GCM_SHA256:" \ "TLS_AES_256_GCM_SHA384" # define top_ciphers \ - ecdhe_ciphers + ecdhe_aead_ciphers #endif -#define ecdhe_ciphers \ +#define ecdhe_aead_ciphers \ "ECDHE-ECDSA-CHACHA20-POLY1305:" \ "ECDHE-ECDSA-AES128-GCM-SHA256:" \ "ECDHE-ECDSA-AES256-GCM-SHA384:" \ - "ECDHE-ECDSA-AES128-SHA:" \ - "ECDHE-ECDSA-AES256-SHA:" \ "ECDHE-RSA-CHACHA20-POLY1305:" \ "ECDHE-RSA-AES128-GCM-SHA256:" \ - "ECDHE-RSA-AES256-GCM-SHA384:" \ - "ECDHE-RSA-AES128-SHA:" \ - "ECDHE-RSA-AES256-SHA" + "ECDHE-RSA-AES256-GCM-SHA384" -#define dhe_ciphers \ +#define dhe_aead_ciphers \ "DHE-RSA-CHACHA20-POLY1305:" \ "DHE-RSA-AES128-GCM-SHA256:" \ - "DHE-RSA-AES256-GCM-SHA384:" \ + "DHE-RSA-AES256-GCM-SHA384" + +#define ecdhe_ecdsa_cbc_ciphers \ + "ECDHE-ECDSA-AES128-SHA:" \ + "ECDHE-ECDSA-AES256-SHA" + +#define ecdhe_rsa_cbc_ciphers \ + "ECDHE-RSA-AES128-SHA:" \ + "ECDHE-RSA-AES256-SHA" + +#define dhe_cbc_ciphers \ "DHE-RSA-AES128-SHA:" \ "DHE-RSA-AES256-SHA:" \ "DHE-DES-CBC3-SHA" @@ -76,11 +84,15 @@ #define server_cipher_list \ top_ciphers ":" \ + ecdhe_rsa_cbc_ciphers ":" \ non_pfs_aes #define client_cipher_list \ top_ciphers ":" \ - dhe_ciphers ":" \ + dhe_aead_ciphers ":" \ + ecdhe_ecdsa_cbc_ciphers ":" \ + ecdhe_rsa_cbc_ciphers ":" \ + dhe_cbc_ciphers ":" \ non_pfs_aes ":" \ "DES-CBC3-SHA" -- 2.30.2