Kurt, thank you very much for your illuminating answer.
 
> For the key exchange there are options like X25519 and X448. As far as I 
> know, there is nothing suspicious about them. Firefox offers X25519 as 
> the first curve.
> [...]
> For the authentication there will be Ed25519 and Ed448 in the future.
> 
> Disabling ECDSA support is something you might want to do, but you would 
> then be unable to talk to people using only an ECDSA certificate.
> [...]
> For the TLS 1.2 ciphers it offers, it has them in this order:
> - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> [...]
> 
> It does offer ciphers that support all your requirements by default. It 
> will just depend on the server if it's going to use X25519 or not. And 
> server support for that will currently be very low.
> 

The background of my question is that I am in the process of configuring my web 
server as secure as possible. Given the problems with ECs, I really would like 
to disable them on the server for key exchange as well as for authentication 
(because then I wouldn't have to think about which curves are secure and which 
are not).

I have done that for testing and noticed that Firefox was not able to connect 
to that website any more. The website will definitely only offer AESxxx-GCM for 
encryption (which is supported by all browsers I am interested in). The open 
question is what methods of key exchange I should offer.

Originally, as said above, I wanted to disable ECs on the server completely, 
but that will prevent FF and other major browsers from connecting to my 
website, which was the reason for my initial post.

Until now, I didn't know that Firefox supports Ed25519 for key exchange, so 
this is good news (I don't know anything about Ed448, but Ed25519 is considered 
secure by nearly all crypto experts).

Due to your hint, I will now research how to configure the server so that it 
offers ECDHE for key exchange, but only the curve Ed25519 .

But the question remains why FF does not support AES-GCM ciphers with DHE (not 
ECDHE) key exchange. Is there any chance to get this implemented? It would make 
life a lot easier.

The web server runs on a standard Linux (Debian jessie), and I doubt that it is 
easy (or even possible) to configure that system's OpenSSL to support ECDHE but 
only that certain curve (I may be wrong since I haven't researched yet, though).

Binarus
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to