[
https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14594017#comment-14594017
]
Susan Hinrichs edited comment on TS-3136 at 6/19/15 9:54 PM:
-------------------------------------------------------------
I ran an experiment to estimate the impact of DHE on our traffic set. I set up
2048 bit dhparams file and inserted the DHE params ciphers right in front of
the non PFS ciphers. The following cipher percentages changed
|Cipher|6/19 list w/o DHE %|6/19 list with DHE %|
|DHE-RSA-AES128-SHA|0|4.12|
|AES128-SHA|5.78|0|
|AES256-SHA|0|1.28|
These don't all add up to equal exchanges. The other ciphers had small shifts
one way or the other. Even with DHE there are still a small percentage of CBC
ciphers that sneak through. I did these test in series, so these aren't the
end-all be-all numbers. I just wanted to get some idea on the scale of the
impact. So broadly speaking by introducing DHE most of the non-PFS ciphers get
shifted over to DHE.
However, I would still argue that we should not include DHE in the default
cipher list. Most of the major sites do not offer DHE. We've had a major ATS
deployer experience an increase in SSL errors that went away when DHE was
removed. If you don't install a good DHParam, the DHE protocol can be hacked.
Therefore, for a default stance, I think an ATS deployment will operate more
securely and with less stability risk if DHE is not included in the
cipher_suites list.
was (Author: shinrich):
I ran an experiment to estimate the impact of DHE on our traffic set. I set up
2048 bit dhparams file and inserted the DHE params ciphers right in front of
the non PFS ciphers. The following cipher percentages changed
|_.Cipher|_.6/19 list w/o DHE %|_.6/19 list with DHE %|
|DHE-RSA-AES128-SHA|0|4.12|
|AES128-SHA|5.78|0|
|AES256-SHA|0|1.28|
These don't all add up to equal exchanges. The other ciphers had small shifts
one way or the other. Even with DHE there are still a small percentage of CBC
ciphers that sneak through. I did these test in series, so these aren't the
end-all be-all numbers. I just wanted to get some idea on the scale of the
impact. So broadly speaking by introducing DHE most of the non-PFS ciphers get
shifted over to DHE.
However, I would still argue that we should not include DHE in the default
cipher list. Most of the major sites do not offer DHE. We've had a major ATS
deployer experience an increase in SSL errors that went away when DHE was
removed. If you don't install a good DHParam, the DHE protocol can be hacked.
Therefore, for a default stance, I think an ATS deployment will operate more
securely and with less stability risk if DHE is not included in the
cipher_suites list.
> Change default TLS cipher suites
> --------------------------------
>
> Key: TS-3136
> URL: https://issues.apache.org/jira/browse/TS-3136
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security, SSL
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Labels: compatibility
> Fix For: 6.0.0
>
>
> In TS-3135 [~i.galic] suggested:
> {quote}
> also, recommendations for a safer ciphersuite:
> SSLCipherSuite
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
>
> from https://cipherli.st/
> {quote}
> [~jacksontj] had responded with:
> {quote}
> [~i.galic] That cipher quite is geared towards security, but doesn't support
> quite a few older clients. I'd recommend we use the suite from mozilla
> (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations)
> which is a good mix of security and compatibility:
> {code}
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> {code}
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
