[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18129 [Tor Messenger]: Investigate chosen ciphersuite

Subject: Re: [tor-bugs] #18129 [Tor Messenger]: Investigate chosen ciphersuite
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 23 Jan 2016 07:47:47 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 23 Jan 2016 02:47:57 -0500
In-reply-to: <047.4d09c6ff0b991bde0af5e1430e70b722@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.4d09c6ff0b991bde0af5e1430e70b722@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#18129: Investigate chosen ciphersuite
---------------------------+---------------------
 Reporter:  arlolra        |          Owner:
     Type:  defect         |         Status:  new
 Priority:  High           |      Milestone:
Component:  Tor Messenger  |        Version:
 Severity:  Normal         |     Resolution:
 Keywords:                 |  Actual Points:
Parent ID:                 |         Points:
  Sponsor:                 |
---------------------------+---------------------

Comment (by yawning):

 Replying to [comment:6 arlolra]:
 > It's been suggested that the server doesn't do server side ordering, so
 whatever the client presents first gets picked, meaning Instantbird is
 ordered to use AES128-SHA-128 first :(

 Nope. because...

 > Next step is to record the client hello in wireshark to see what it's
 presenting, to be sure. And then figure out why ...

 {{{
   Cipher Suites Length: 22
   Cipher Suites (11 suites)
     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
     Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
     Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)      <---
     Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
     Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
 }}}

 As far as I can tell, they don't support any of the ECDHE suites.  The
 right thing to do would be for them to catch up to current best practice
 and enable said suites.  The "we already have worse enabled" fix on the
 Tor Messenger side is to enable `TLS_RSA_WITH_AES_128_GCM_SHA256` and
 `TLS_RSA_WITH_AES_256_GCM_SHA384` after the `TLS_DHE_` suits, but before
 the rest of the other `TLS_RSA_` suites.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18129#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #18129 [Tor Messenger]: Investigate chosen ciphersuite
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #18119 [Tor]: .onion domain names can be really short
Next by Author: Re: [tor-bugs] #18119 [Tor]: .onion domain names can be really short
Previous by thread: Re: [tor-bugs] #18129 [Tor Messenger]: Investigate chosen ciphersuite
Next by thread: Re: [tor-bugs] #18129 [Tor Messenger]: Investigate chosen ciphersuite
Index(es):
- Author
- Thread