[jira] [Updated] (KUDU-2983) webserver: remove TLS ciphers with RSA-based key exchange

Mon, 21 Oct 2019 21:21:09 -0700 


     [ 
https://issues.apache.org/jira/browse/KUDU-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexey Serbin updated KUDU-2983:
--------------------------------
    Status: In Review  (was: Open)

> webserver: remove TLS ciphers with RSA-based key exchange
> ---------------------------------------------------------
>
>                 Key: KUDU-2983
>                 URL: https://issues.apache.org/jira/browse/KUDU-2983
>             Project: Kudu
>          Issue Type: Improvement
>          Components: master, security, tserver
>    Affects Versions: 1.11.0
>            Reporter: Alexey Serbin
>            Priority: Major
>
> Since squeasel now supports ECDH-based algorithms since  
> [d6a6b54b1|https://github.com/apache/kudu/commit/d6a6b54b175032c7d13d231ef6d156ef9d0e3ab0],
>  it's safe to remove ciphers with key exchange based on RSA for Kudu embedded 
> webserver on every supported platform but CentOS6 (there we use 
> {{openssl-el6-workaround}} defining {{OPENSSL_NO_ECDH}}).
> That's to follow [best 
> practices|https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#25-use-forward-secrecy]
>  of using only forward secrecy-enabled ciphers.  Let's use at least 
> [intermediate 
> compatibility|https://wiki.mozilla.org/Security/Server_Side_TLS] cipher list 
> (needs to be accommodated for CentOS7 since polynomial algos usually are not 
> available on OpenSSL package on that platform).
> Also, that's to avoid security scan tools like [Qualys SSL Server 
> Test|https://www.ssllabs.com/ssltest/] from SSL Labs issuing warnings about 
> critical vulnerabilities such as [RobotAttack|https://robotattack.org/].  See 
> [this introduction 
> article|https://www.trustzone.com/the-robot-attack-rsa-encryption-is-vulnerable-choose-ecc-in-tls-ssl-certificates-to-ensure-security/]
>  for more context on replacing RSA with ECC for TLS key exchange.
> The issue to remove ciphers with RSA-based key exchange for Kudu RPC is 
> tracked separately since it requires changing type of IPKI private key as 
> well.
> This is the list of ciphers to use on CentOS7 and newer for Kudu webserver:
> {noformat}
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to