[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14603319#comment-14603319 ] ASF subversion and git services commented on TS-3136: - Commit 703ccb7108c215cd7357f473c3a9427221ee3b7e in trafficserver's branch refs/heads/6.0.x from shinrich [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=703ccb7 ] TS-3136: Update default ciphersuite list. This closes #233 (cherry picked from commit df59f9191e750995821120df198d637792489ace) Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.1 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14601036#comment-14601036 ] ASF subversion and git services commented on TS-3136: - Commit df59f9191e750995821120df198d637792489ace in trafficserver's branch refs/heads/master from shinrich [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=df59f91 ] TS-3136: Update default ciphersuite list. This closes #233 Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14601040#comment-14601040 ] ASF GitHub Bot commented on TS-3136: Github user asfgit closed the pull request at: https://github.com/apache/trafficserver/pull/233 Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14599486#comment-14599486 ] ASF GitHub Bot commented on TS-3136: Github user shinrich closed the pull request at: https://github.com/apache/trafficserver/pull/230 Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14599488#comment-14599488 ] ASF GitHub Bot commented on TS-3136: GitHub user shinrich opened a pull request: https://github.com/apache/trafficserver/pull/233 TS-3136: Update default ciphersuite list. I think this is the final agreed upon list. Review comments and discussion on TS-3136. You can merge this pull request into a Git repository by running: $ git pull https://github.com/shinrich/trafficserver ts-3136-2 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/233.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #233 commit 8e0b3ce0b5ea83f6ff0da55ee6546b8e08e0acc5 Author: shinrich shinr...@yahoo-inc.com Date: 2015-06-24T14:29:25Z TS-3136: Update default ciphersuite list. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14599395#comment-14599395 ] Susan Hinrichs commented on TS-3136: Talking with more people, some clients (namely Java 7 clients https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_and_Java) do not support DH parameters greater than 1024 bits. In ATS, the default parameters are 2048 bits (1024 bit parameters are vulnerable to attack). It is possible that your increase in error count was due to older clients trying to negotiate DHE but failing once the too large parameters were presented. I think this is another argument against enabling DHE protocols by default. To usefully support DHE, you need to understand your client base. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14599671#comment-14599671 ] Susan Hinrichs commented on TS-3136: @bcall noted that no clients will actually negotiate CHACHA since it is so low in the list. since CHACHA is not yet widely deployed we are a bit hesitant to put it on top at this point. So we are removing CHACHA from the default list. Individual deployments may want to add it depending on their client and server sets. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14597653#comment-14597653 ] Susan Hinrichs commented on TS-3136: [~briang] and [~jacksontj] any comments on your experience with DHE? Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14598324#comment-14598324 ] Brian Geffon commented on TS-3136: -- [~shinrich], basically what we found was that upgrading to 5.2 where we added DHE support meant that clients could start negotiating DHE and that caused a spike in ssl_error_ssl, that's about all we ever figured out. We never looked into the reason behind the error spikes, disabling DHE fixed the issue. Also [~bcall] did some research and found that basically no sites are using DHE. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14595053#comment-14595053 ] Susan Hinrichs commented on TS-3136: Agreed. Independent of the DHE in default cipher list issue, enabling DHE ciphers should be a single step process. I filed TS-3711 to track that issue. It is a minor issue to reenable. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594463#comment-14594463 ] John Eaglesham commented on TS-3136: People don't use DHE because of the performance impact, but it's well known to improve security for a number of reasons and it's use is recommended by, for example, Mozilla and Qualys. What are the details of the problem Brian Geffon encountered? If the ATS implementation of DHE is broken we should fix that. If Brian Geffon has a use case where client's negotiate a DHE-enabled cipher but can't actually handle a DHE-enabled server then that's interesting and might be worth disabling DHE for. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594586#comment-14594586 ] Susan Hinrichs commented on TS-3136: As I recall, with the dhparams enabled, their servers suffered a significant increase in the ssl_error_ssl stat. I don't think they even had DHE in the their ciphersuite list. But there were several issues we addressed to work things out. [~briang], can you remind us of your DHE issue? Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594642#comment-14594642 ] Leif Hedstrom commented on TS-3136: --- [~shinrich] I'm almost 100% sure that they did have DHE in their Cipher Suite settings, they had copied one from Mozilla. The confusion / problem arose during an upgrade from 5.1 (or 2) to 5.3, and suddenly clients started negotiating DHE. The claim is that some clients would negotiate DHE now, but fail (hence the increase in ssl_error_ssl stat). I don't know why this increase in failed negotiation happened. I got the impression that our implementation was correct, and some client is not, but I don't have any details. Only [~briang] or [~jacksontj] would have those. The end result was that we made changes in 5.x such that DHE would not be negotiated without an explicit dhparam config file (right?) Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594654#comment-14594654 ] Susan Hinrichs commented on TS-3136: [~zwoop] that is correct. We changed things to the current state. If there is no dhparams file specific, ATS will not load one for you. So the DHE- protocosl will not be selected during negotiation. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594711#comment-14594711 ] John Eaglesham commented on TS-3136: If we want to disable DHE in the default install (which I'm still not confident is the right thing to do, pending what Brian or Thomas say), it's easier to administer if we restore the code that applies default DH params from RFC 5114 and remove DHE from the cipher list than to do the inverse or to remove both. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594878#comment-14594878 ] Leif Hedstrom commented on TS-3136: --- Yeah, I'm +1 on doing the right thing with DHE for 6.0.0. The reason we made this change was because it theoretically broke backwards compatibility for at least one user (where they got DHE enabled between upgrading from 5.2.0 to 5.3.0). It was arguable though, since they had set their Cipher list to include DHE :). Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594125#comment-14594125 ] Susan Hinrichs commented on TS-3136: And because you cannot have too much fun playing with data, here is the negotiated cipher table subtotaled by type of cipher |Cipher Group|% 6/19 list|% 6/18 list|% 5.x default| |non-PFS block cipher |6.89| 6.86|0.48| |GCM|35.69 |35.64 |35.79| |PFS CBC|57.42| 57.5| 40.56| |RC4|0| 0| 23.18| Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594017#comment-14594017 ] Susan Hinrichs commented on TS-3136: I ran an experiment to estimate the impact of DHE on our traffic set. I set up 2048 bit dhparams file and inserted the DHE params ciphers right in front of the non PFS ciphers. The following cipher percentages changed |_.Cipher|_.6/19 list w/o DHE %|_.6/19 list with DHE %| |DHE-RSA-AES128-SHA|0|4.12| |AES128-SHA|5.78|0| |AES256-SHA|0|1.28| These don't all add up to equal exchanges. The other ciphers had small shifts one way or the other. Even with DHE there are still a small percentage of CBC ciphers that sneak through. I did these test in series, so these aren't the end-all be-all numbers. I just wanted to get some idea on the scale of the impact. So broadly speaking by introducing DHE most of the non-PFS ciphers get shifted over to DHE. However, I would still argue that we should not include DHE in the default cipher list. Most of the major sites do not offer DHE. We've had a major ATS deployer experience an increase in SSL errors that went away when DHE was removed. If you don't install a good DHParam, the DHE protocol can be hacked. Therefore, for a default stance, I think an ATS deployment will operate more securely and with less stability risk if DHE is not included in the cipher_suites list. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594073#comment-14594073 ] Susan Hinrichs commented on TS-3136: I spent today running experiments with a variety of cipher_suite strings. Based on feedback from my previous suggestion and these experiments, my latest suggested default cipher_suite list is below (which I referred to as the 6/19 list in the comment above). {code} ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} I think it is a good trade off of security, availability, and reliability for a good out-of-the-box experience. My final experiment involved three boxes in the same pod. One running with the list above (6/19 list). One running the list suggested yesterday (6/18 list). One running the 5.x default. There was a little bit of CPU difference. The experiment ran for 100 wall clock minutes. The CPU time for each scenario was |Scenario|CPU Time| |6/19 list|130 minutes| |6/18 list|152 minutes| |5.x default|180 minutes| The summary of negotiated protocols |Cipher |% list 6/19| % list 6/18|% 5.x list| |ECDHE-RSA-AES256-GCM-SHA384|0.01 |4.79| 0.02| |ECDHE-ECDSA-AES256-GCM-SHA384 |0 |0 |0| |ECDHE-RSA-AES256-SHA384|0 |30.43| 0| |ECDHE-ECDSA-AES256-SHA384 |0| 0| 0| |ECDHE-RSA-AES256-SHA |0| 26.92| 0| |ECDHE-ECDSA-AES256-SHA |0| 0| 0| |ECDH-RSA-AES256-GCM-SHA384 |0 |0 |0| |ECDH-ECDSA-AES256-GCM-SHA384 |0 |0 |0| |ECDH-RSA-AES256-SHA384 |0 |0 |0| |ECDH-ECDSA-AES256-SHA384 |0 |0 |0| |ECDH-RSA-AES256-SHA|0 |0 |0| |ECDH-ECDSA-AES256-SHA |0 |0 |0| |AES256-GCM-SHA384 |0.32| 0.31| 0| |AES256-SHA256 |0 |0.16 |0| |AES256-SHA |0 |5.07| 0| |ECDHE-RSA-AES128-GCM-SHA256|35.68 |30.85 |35.77| |ECDHE-ECDSA-AES128-GCM-SHA256 |0 |0 |0| |ECDHE-RSA-AES128-SHA256|0 |0 |31.71| |ECDHE-ECDSA-AES128-SHA256 |0 |0 |0| |ECDHE-RSA-AES128-SHA |57.42 |0.15| 8.85| |ECDHE-ECDSA-AES128-SHA |0 |0 |0| |ECDHE-RSA-DES-CBC3-SHA |0 |0 |0| |ECDHE-ECDSA-DES-CBC3-SHA |0 |0 |0| |ECDH-RSA-AES128-GCM-SHA256 |0 |0 |0| |ECDH-ECDSA-AES128-GCM-SHA256 |0 |0 |0| |ECDH-RSA-AES128-SHA256 |0 |0 |0| |ECDH-ECDSA-AES128-SHA256 |0 |0 |0| |ECDH-RSA-AES128-SHA|0 |0 |0| |ECDH-ECDSA-AES128-SHA |0 |0 |0| |AES128-GCM-SHA256 |0 |0 |0.42| |AES128-SHA256 |0 |0 |0| |DES-CBC3-SHA |0.79 |0.79 |0| |ECDHE-RSA-RC4-SHA |0| 0 |16.65| |ECDHE-ECDSA-RC4-SHA|0 |0 |0| |ECDH-RSA-RC4-SHA |0 |0 |0| |ECDH-ECDSA-RC4-SHA |0 |0 |0| |RC4-SHA|0 |0 |6.53| |RC4-MD5|0 |0 |0| Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code}
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14594077#comment-14594077 ] Susan Hinrichs commented on TS-3136: For reference, here is the 5.x default cipher suite list {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2 {code} Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14593193#comment-14593193 ] Ivan Ristic commented on TS-3136: - I think the proposed cipher suite selection is pretty good in terms of security, but it can be improved for performance. Here are my suggestions: - Prefer AES128 over AES256. The latter is about 8% slower (for bulk transfers, not handshakes) but no better for security. In fact, some believe that AES128 is stronger. - Prefer SHA non-GCM suites over SHA256 and SHA384. Non-GCM suites that use SHA256 and SHA384 are _much_ slower over those that use SHA. I never measured the difference for SHA384, but SHA256 suites are twice as slow (bulk tranfers, not handshakes) as their SHA counterparts. At the same time, there is no measurable security advantage. Non-GCM suites use hash functions for integrity validation in tandem with HMAC and there are no known practical attacks against them. - Additionally, SHA256 and SHA384 introduce additional transport overhead (per each TLS record), because these hashes are substantially larger. - Side note: despite the same suffix (e.g., SHA256 and SHA384), GCM suites don't use these hash functions in the same way as non-GCM suites. For that reason, they're not slow. In fact, they're the fastest suites currently available. If you're curious, in the names of GCM suites, the SHA256/SHA384 prefix denotes the hashing function used by the protocol's pseudorandom function (PRF). - Please make sure that your DH parameters are at least 2048 bits. I don't know if this isn't the case at the moment, but 1024-bit parameters are very common and yet weak. - If you want to be at the cutting edge of TLS performance, consider adding support for ChaCha20-Poly1305 suites. These are not yet supported by OpenSSL, but they will be soon. LibreSSL supports them natively. CloudFlare maintain an OpenSSL fork that adds support. ChaCha20 suites are strong and provide better performance for mobile users... Chrome has been using them extensively. You should test, but it may be that simply adding the ChaCha20 suites by name to your configuration is enough when ATS is running against a library that supports them. There's a catch when it comes to suite ordering: for desktop users ChaCha20 should be below GCM suites; for mobile users, ChaCha20 should come first. I believe the OpenSSL patch handles this. When you look at CloudFlare's suite configuration https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.coms=198.41.214.163 you can see that the ChaCha20 suites are at the end. I believe that OpenSSL detects mobile users somehow and selects a ChaCha20 suite even though they're nominally at the bottom. I haven't tested this myself. [~shinrich] to be absolely sure about any performance degradation, is it possible that you disconnect two servers from the persistent session storage? Leave one server with the original cipher suite configuration and try the new configuration the other. Source: Bulletproof SSL and TLS, chapter 9. (I am the author.) Disclaimer: all benchmarks performed on servers that support AES-NI hardware acceleration. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code}
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14593477#comment-14593477 ] Susan Hinrichs commented on TS-3136: [~jeaglesham] and [~ivanr] thanks for your comments. Looking back at the performance numbers that [~davet] did last year, the AES128 vs AES256 performance numbers are consistent with yours Ivan. I'm really surprised that SHA256 vs SHA would have such a big performance impact. Since SHA has been broken so long, I just had a knee jerk reaction against it. But I think you make a good argument that SHA is good enough in that case. You do bring up a good point about the dhparams. We do provide a means to set your own, but I think the default is the 1024 bit one, which is no good these days. [~bcall] what do you think about setting a 2048 bit DHParam by default? I think [~i.galic] filed a bug on dh params a while back. I'll review the current state of things. Since this string is supposed to be reasonable for at least the coming year, adding ChaCha seems quite reasonable. I think doing the additional test that you suggest is a good idea. I'll see if ops will give me two or three machines so I can compare my proposed string from yesterday, an updated string based on your comments, and potentially the 5.x default cipher string. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14593519#comment-14593519 ] Ivan Ristic commented on TS-3136: - That's great, thanks! By the way, if ATS is currently using fixed 1024-bit DH parameters, chances are that all its DH traffic can be passively decrypted by a state-level attacker. This was the recent Logjam discovery. If you do decide to stay with 1024 bits, the only reasonably safe approach is to generate per-server DH parameters during installation. Although it's best to transition to 2048-bit parameters, you should be aware that Java command line clients can't handle anything above 1024 bits. There is also a performance penalty associated with increasing DH parameters to 2048 bits, but, judging from your numbers, DHE would almost never be used. Actually, after a closer look, it doesn't seem that you have EDH-RSA-DES-CBC3-SHA in your proposed configuration. If you add it just before DES-CBC3-SHA, it's possible that the clients currently using 3DES would use this cipher suite instead. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14593528#comment-14593528 ] Ivan Ristic commented on TS-3136: - [~shinrich] the value of keeping DHE around is to use for fallback for clients that don't support ECDHE. If you don't have DHE, such clients would use the RSA key exchange instead, leaving their traffic without forward secrecy. Because the support for ECDHE is widespread, only a small number of clients would be affected by the removal of DHE, but it's difficult to know exactly how much, given that everyone's user profile is slightly different. In your example above, I think that would be below 1%. At that rate, you might argue that the RSA key exchange is acceptable. For what it's worth, Google doesn't use DHE on their servers. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14593518#comment-14593518 ] Susan Hinrichs commented on TS-3136: TS-3624 is the bug Igor filed suggesting that we autogenerate DH parameters periodically. Don't think we want to do that for 6.0 at this point. The way it currently stands, unless you specify a dhparams file, no dhparams is registered, so the DHE ciphers won't be negotiated (which explains why my measurements had no DHE ciphers). At one point in 5.2/5.3 we registered a 2048 bit DH param from RFC 5114, but that messed things up for [~briang] so the change was backed out and the param is only set if the user specifies it via a file. In my opinion for 6.0, we should either: * Remove DHE from the list of default ciphers * Re-introduce an auto-generated DH param so the DHE ciphers might get negotiated. From a lazy developer's perspective I'd vote for just removing DHE from the list. It looks like ECDHE is pretty prevalent. Is there big value for keeping DHE in the defaults? Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14593573#comment-14593573 ] Susan Hinrichs commented on TS-3136: It looks like we have around 5% hitting non-PFS protocols. I'll add an experiment to set a dh params file (to actually activate the DHE protocols) and see how much of that 5% we can convert to DHE protocols. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14592951#comment-14592951 ] John Eaglesham commented on TS-3136: Should we prefer AES128 over AES256? AES128 is faster and secure enough for all reasonable scenarios. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14592524#comment-14592524 ] ASF GitHub Bot commented on TS-3136: GitHub user shinrich opened a pull request: https://github.com/apache/trafficserver/pull/230 TS-3136: Change default TLS cipher suites The bug contains a rational for this list as well as some production test results. You can merge this pull request into a Git repository by running: $ git pull https://github.com/shinrich/trafficserver ts-3136 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/230.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #230 commit 1024e9ede1dd840f883aa0d6a7d5851940a336e5 Author: shinrich shinr...@yahoo-inc.com Date: 2015-06-18T21:07:27Z TS-3136: Change default TLS cipher suites Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14592485#comment-14592485 ] Susan Hinrichs commented on TS-3136: Ran some tests on a production box in Y! Based on those results, I suggest the following cipher string. ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA The upshot is that we remove RC4, add new ciphers, and rearrange the list to give preference to cipher attributes in the following order: PFS, then GCM, then stronger SHA, then stronger AES. 3DES is at the end to scoop up the remainders. We tested in the Y! environment which tends to have a wide variety of clients. Removing RC4 did not seem to significantly impact handshake success rate. CBC algorithms are also concerning, but if we care about out-of-the-box experience it looks like the CBC algorithms need to stick around for a while longer. Here are details of the test With Y! original cipher string 0.0102% ssl_error_ssl The number of DES-CBC3-SHA sessions was negligible (45). The Y! initial configuration has one RC4 algorithm listed kind of early, so the RC4 percentage was around 30% as [~davet] noted in an earlier comment. With proposed default cipher string running for an hour 0.009% ssl_error_ssl The percentage of DES-CBC3-SHA sessions grew to 0.9% of sessions. In my experiment, it was impossible to isolate the CPU impact of this change. To test a new cipher without updating all the machines in the production pod, I remove the test box from the SSL session sharing communication. The test box experienced around a 30% increase in CPU utilization, but I think that can be mostly attributed to increased session negotiation since it did not know about the sessions negotiated by other machines in the pod. We did one experiment with the RC4 ciphers added after DES-CBC3 as another measure of how many clients are only willing to do RC4. After about an hour, 2 RC4 sessions were started. 510932 = Total Successful Handshakes Percentage of various cipher's negotiated # Start with PFS/GCM ciphers. Give slight preference to AES256 over AES128, and prefer stronger SHA 0% ECDHE-ECDSA-AES256-GCM-SHA384: 4.2% ECDHE-RSA-AES256-GCM-SHA384: 0% ECDHE-ECDSA-AES128-GCM-SHA256: 30.6% ECDHE-RSA-AES128-GCM-SHA256: # DHE still gives of PFS but at increased computation cost 0% DHE-RSA-AES256-GCM-SHA384: 0% DHE-DSS-AES256-GCM-SHA384: 0% DHE-RSA-AES128-GCM-SHA256: 0% DHE-DSS-AES128-GCM-SHA256: # CBC versions of the PFS ciphers 0% ECDHE-ECDSA-AES256-SHA384: 30.6% ECDHE-RSA-AES256-SHA384: 0% ECDHE-ECDSA-AES256-SHA: 27.7% ECDHE-RSA-AES256-SHA: 0% ECDHE-ECDSA-AES128-SHA256: 0% ECDHE-RSA-AES128-SHA256: 0% ECDHE-ECDSA-AES128-SHA: 0.14% ECDHE-RSA-AES128-SHA: 0% DHE-RSA-AES256-SHA256: 0% DHE-DSS-AES256-SHA256: 0% DHE-RSA-AES128-SHA256: 0% DHE-DSS-AES128-SHA256: 0% DHE-RSA-AES256-SHA: 0% DHE-DSS-AES256-SHA: 0% DHE-RSA-AES128-SHA: 0% DHE-DSS-AES128-SHA: # No PFS, GCM 0.3% AES256-GCM-SHA384: 0% AES128-GCM-SHA256: # No PFS, CBC 0.2% AES256-SHA256: 0% AES128-SHA256: 4.8% AES256-SHA: 0.5% AES128-SHA: # 3DES as a last resort 0.9% DES-CBC3-SHA Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14589978#comment-14589978 ] ASF GitHub Bot commented on TS-3136: Github user persiaAziz closed the pull request at: https://github.com/apache/trafficserver/pull/223 Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14588253#comment-14588253 ] Dave Thompson commented on TS-3136: --- I did some performance tests a while back using ATS. For some relative general reference ballpark numbers see below. Hardware was AES-NI capable. 3DES was clearly CPU bound, the others were likely network bound in the test environment. 100% 3DES ciphers, I was able to see 1.5Gbps with ~99% CPU. 100% AES_GCM ciphers, I was able to see 5.3Gbps with 35%CPU. 100% RC4_CBC, 4.5Gbps with 50% CPU. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14588169#comment-14588169 ] Susan Hinrichs commented on TS-3136: [~jacksontj] did the increase in 3DES impact your CPU utilization in a significant way? Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14588316#comment-14588316 ] Dave Thompson commented on TS-3136: --- Doh, I meant RC4 as in RC4_SHA, That would be a trick to make that stream cipher CBC :-) Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14588193#comment-14588193 ] Thomas Jackson commented on TS-3136: Nothing noticable-- but TBH both of these are really low in the list of ciphers we actually see. If we want specific numbers I'd have to wait until I get into the office. From my perspective RC4 is broken, 3DES is slow. Slow broken :) Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14588162#comment-14588162 ] Thomas Jackson commented on TS-3136: [~shinrich] In our testing/experience you can drop RC4 and as long as you support 3DES clients will move to that. Granted 3DES isn't super secure, but its not as broken as RC4 :) Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14586515#comment-14586515 ] Susan Hinrichs commented on TS-3136: We've had one person review the list internally, and it is queued up with another. The first reviewer thought the list was ok. But acknowledged it may not be practical to remove RC4. He also noted that there are problems with CBC algorithms as well (e.g. BEAST) so it isn't necessarily clear that RC4 is so much worse. I'm in the process of trying out the string in production to see what kind of performance impact it has (does it increase CPU utilization or handshake failure rate?). Unfortunately due to session sharing in our production farms, I need to get more clearance to try the new cipher_suite string on all machines in the group rather than just one. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14586594#comment-14586594 ] John Eaglesham commented on TS-3136: I think it's better to ship a secure SSL configuration that works for 99% of users than a configuration that that works everywhere but is also insecure everywhere. To that end we should probably set the default to TLS 1.2 at the same time, and then we don't have to worry about CBC ciphers. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583653#comment-14583653 ] Leif Hedstrom commented on TS-3136: --- Fwiw, I didn't mean to imply that we should just blindly take one of these cipher suite. What i think is important is that we keep our cipher suite up to date with TLS changes. Like, eliminate RC4 seems like a good idea. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Syeda Persia Aziz Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583609#comment-14583609 ] ASF GitHub Bot commented on TS-3136: GitHub user persiaAziz opened a pull request: https://github.com/apache/trafficserver/pull/223 TS-3136: change default cipher suite TS-3136: change default cipher suite https://issues.apache.org/jira/browse/TS-3136 You can merge this pull request into a Git repository by running: $ git pull https://github.com/persiaAziz/trafficserver TS-3136 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/223.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #223 commit 3ec0fd99c7b63801bd6e8ef87e1f91c7c0292e29 Author: Syeda Persia Aziz persia.a...@yahoo.com Date: 2015-06-12T15:55:42Z TS-3136: change default cipher suite Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Susan Hinrichs Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583649#comment-14583649 ] ASF GitHub Bot commented on TS-3136: Github user jpeach commented on the pull request: https://github.com/apache/trafficserver/pull/223#issuecomment-111547708 How was this tested? Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Syeda Persia Aziz Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583654#comment-14583654 ] Bryan Call commented on TS-3136: [~persiaAziz] Was this just a copy and paste of the mozilla chiper list? The chiper list that we had was well tested and ordered based on a lot of usability testing. We should run this through our security team before changing it. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Syeda Persia Aziz Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583658#comment-14583658 ] ASF GitHub Bot commented on TS-3136: Github user shinrich commented on the pull request: https://github.com/apache/trafficserver/pull/223#issuecomment-111550501 Persia did basic testing with a browser. I'm going additional tests with openssl s_client feeding in particular ciphers. Also reviewing the suggesting cipher list. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Syeda Persia Aziz Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583688#comment-14583688 ] Syeda Persia Aziz commented on TS-3136: --- I agree Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Syeda Persia Aziz Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583728#comment-14583728 ] Susan Hinrichs commented on TS-3136: I think we may want to consider the following string for default. Starting from the mozilla string that Thomas suggested. Removed Camilla. Moved ECDHE-ECDSA in front of the ECHDE-RSA versions. Moved AES256 in front of AES128 versions. Still have 3DES for truly ancient clients. ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Syeda Persia Aziz Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583706#comment-14583706 ] Susan Hinrichs commented on TS-3136: @bcall, do you mean the yahoo security team? Or is there an apache team we should reach out to? I did some initial comparisons to the old list and there isn't a huge difference. The new list removes the RC4 ciphers. It adds in the ECDHE-ECDSA version of the ECDHE-RSA ciphers that are in the list It adds in a number of DHE-* ciphers, more options for PFS It adds in the camellia cipher Since we have honor server order on by default, we may want to move the ECDHE-ECDSA version ahead of the ECDHE-RSA version Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Syeda Persia Aziz Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14583847#comment-14583847 ] Dave Thompson commented on TS-3136: --- In march, I did a survey of ciphers selected by various desktopmobile clients in production hitting our servers, and found approximately 33% hitting were RC4 ciphers (23% ECDHE-RC4, 10% RC4-SHA). Because of the selection bias of AES first configuration, this means there were a significant number of client not capable of AES. It's possible that the implementers of those clients were more afraid of block cipher attacks like BEAST and Lucky13 on AES, than they were from the various RC4 biasing attacks. With the new cipher suite selection we would then fall back to triple-DES, which is a non-trivial bump up in performance degradation. While ChaCha20+Poly1305 is likely to become the RC4 stream replacement, it's still a little too early and currently has limited availability. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: Syeda Persia Aziz Labels: compatibility Fix For: 6.0.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3136) Change default TLS cipher suites
[ https://issues.apache.org/jira/browse/TS-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14216871#comment-14216871 ] John Eaglesham commented on TS-3136: We shouldn't change the default cipher list in a point release. Tagging with compatibility. Change default TLS cipher suites Key: TS-3136 URL: https://issues.apache.org/jira/browse/TS-3136 Project: Traffic Server Issue Type: Improvement Components: Security, SSL Reporter: Leif Hedstrom Assignee: John Eaglesham Fix For: 5.2.0 In TS-3135 [~i.galic] suggested: {quote} also, recommendations for a safer ciphersuite: SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 from https://cipherli.st/ {quote} [~jacksontj] had responded with: {quote} [~i.galic] That cipher quite is geared towards security, but doesn't support quite a few older clients. I'd recommend we use the suite from mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations) which is a good mix of security and compatibility: {code} ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA {code} {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)