Re: configuration of forward secrecy possible?

Wed, 16 Apr 2014 13:51:07 -0700 

Am 16.04.2014 um 22:22 schrieb Arnt Gulbrandsen <[email protected]>:

> On Wednesday, April 16, 2014 7:56:49 PM CEST, Mark Felder wrote:
>> Stunnel, however, gives you full control over your cipher suites.
> 
> In the sense that it gives you a variable to configure. I spent two hours 
> learning the syntax and semantics, and did not feel that I was in full 
> control afterwards. Maximilian's problem revolves around ECDH/DH vs. kEDH, 
> and perhaps what's compiled in. I have reread the ciphers man page tonight, 
> and I do not feel in control.
> 
>> There's a long gap in time between Aox 3.1.3 and 3.2.0, which means for 
>> nearly 4 years end users had no control over this. I certainly agree that 
>> stunnel is not going to magically make all your security problems go away, 
>> but in certain cases it can help to shrink the scope of the damage possible 
>> (though possibly not very much for an IMAP server)
> 
> The two hours I spent was enough to learn a bit. I learned that googling for 
> cipher advice gives conflicting and wrong advice. And I learned that people 
> who’ve set ciphers in their configuration didn't update promptly after BEAST 
> was known.
I found
        https://wiki.mozilla.org/Security/Server_Side_TLS#Attacks_on_TLS
and the OPENSSL COOKBOOK by Ivan Ristić usefull. On page 30, I found this 
advice:
'kEECDH+ECDSA kEECDH kEDH HIGH +SHA +RC4 RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP 
!DSS !PSK !SRP !kECDH !CAMELLIA‘
Which gives the following ordering on OpenSSL 1.0.1c:
          0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     
Au=ECDSA Enc=AESGCM(256) Mac=AEAD
          0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA 
Enc=AES(256)  Mac=SHA384
          0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     
Au=ECDSA Enc=AESGCM(128) Mac=AEAD
          0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA 
Enc=AES(128)  Mac=SHA256
          0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  
Enc=AESGCM(256) Mac=AEAD
          0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  
Enc=AES(256)  Mac=SHA384
          0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  
Enc=AESGCM(128) Mac=AEAD
          0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  
Enc=AES(128)  Mac=SHA256
          0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  
Enc=AESGCM(256) Mac=AEAD
          0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  
Enc=AES(256)  Mac=SHA256
          0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  
Enc=AESGCM(128) Mac=AEAD
          0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  
Enc=AES(128)  Mac=SHA256
          0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  
Enc=AESGCM(256) Mac=AEAD
          0x00,0x3D - AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  
Enc=AES(256)  Mac=SHA256
          0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  
Enc=AESGCM(128) Mac=AEAD
          0x00,0x3C - AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  
Enc=AES(128)  Mac=SHA256
          0xC0,0x0A - ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA 
Enc=AES(256)  Mac=SHA1
          0xC0,0x09 - ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA 
Enc=AES(128)  Mac=SHA1
          0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  
Enc=AES(256)  Mac=SHA1
          0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  
Enc=AES(128)  Mac=SHA1
          0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  
Enc=AES(256)  Mac=SHA1
          0x00,0x33 - DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  
Enc=AES(128)  Mac=SHA1
          0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  
Enc=AES(256)  Mac=SHA1
          0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  
Enc=AES(128)  Mac=SHA1
          0xC0,0x07 - ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA 
Enc=RC4(128)  Mac=SHA1
          0xC0,0x11 - ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  
Enc=RC4(128)  Mac=SHA1
          0x00,0x05 - RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  
Enc=RC4(128)  Mac=SHA1
and this on on OpenSSL 0.9.8y:
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
AES256-SHA
AES128-SHA
RC4-SHA

which looks reasonable for me.

Putting this in tlsthread.cpp results in (built with openssl 0.9.8y):

openssl s_client   -connect some.ser.ver:143  -starttls imap

. . .
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: F25B2B66A6F7328D42ACC20BB129D6B8F6A3243775F26016D08CD680096C7FA0
    Session-ID-ctx: 
    Master-Key: 
938E5E3775A4D21F8534948F41BE27B492BFC3AA6B0F345FF95000FA4062B404EC9EAB80D15753CF22488728B598D89C
    Key-Arg   : None
    Start Time: 1397681113
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Reply via email to