[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #32351 [Internal Services/Tor Sysadmin Team]: review our ssl ciphers suite

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #32351 [Internal Services/Tor Sysadmin Team]: review our ssl ciphers suite
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 11 Mar 2020 13:34:26 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 11 Mar 2020 09:34:35 -0400
In-reply-to: <047.8f1277089461a9405eef24e520043f1b@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.8f1277089461a9405eef24e520043f1b@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, blackhole@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#32351: review our ssl ciphers suite
-------------------------------------------------+---------------------
 Reporter:  anarcat                              |          Owner:  tpa
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+---------------------

Comment (by weasel):

 not just the cipher suites, but also the protocols.

 [copying from #33591]:
 I think we should disable these old protocols.

 This would additionally break, if I read https://www.ssllabs.com/ssltest/
 right (I am comparing old www.debian.org with post-change www.debian.org):

 # Not simulated clients (Protocol mismatch)
 Android 2.3.7   No SNI 2                Protocol mismatch (not simulated)
 Android 4.0.4   Protocol mismatch (not simulated)
 Android 4.1.1   Protocol mismatch (not simulated)
 Android 4.2.2   Protocol mismatch (not simulated)
 Android 4.3     Protocol mismatch (not simulated)
 Baidu Jan 2015  Protocol mismatch (not simulated)
 IE 7 / Vista    Protocol mismatch (not simulated)
 IE 8-10 / Win 7  R              Protocol mismatch (not simulated)
 IE 10 / Win Phone 8.0   Protocol mismatch (not simulated)
 Java 7u25       Protocol mismatch (not simulated)
 OpenSSL 0.9.8y  Protocol mismatch (not simulated)
 Safari 5.1.9 / OS X 10.6.8      Protocol mismatch (not simulated)
 Safari 6.0.4 / OS X 10.8.4  R           Protocol mismatch (not simulated)


 Safari 6 / iOS 6.0.1    Server sent fatal alert: handshake_failure
 Safari 7 / iOS 7.1  R           Server sent fatal alert: handshake_failure
 Safari 7 / OS X 10.9  R         Server sent fatal alert: handshake_failure
 Safari 8 / iOS 8.4  R           Server sent fatal alert: handshake_failure
 Safari 8 / OS X 10.10  R                Server sent fatal alert:
 handshake_failure
 IE 11 / Win Phone 8.1  R                Server sent fatal alert:
 handshake_failure

 the following already don't work:
 IE 8 / XP   No FS 1       No SNI 2              Server sent fatal alert:
 handshake_failure
 Java 6u45   No SNI 2            Client does not support DH parameters >
 1024 bits
 IE 6 / XP   No FS 1       No SNI 2              Protocol mismatch (not
 simulated)


 this is the debian.org diff, tor's would be very similar:

 {{{
 --- a/modules/apache2/templates/puppet-config.erb
 +++ b/modules/apache2/templates/puppet-config.erb
 @@ -1,13 +1,11 @@
  <IfModule mod_ssl.c>
 -  SSLProtocol all -SSLv2 -SSLv3
 -  SSLHonorCipherOrder On
 -
 -  # this is a list that seems suitable as of 2014-10, when running
 wheezy.  It
 -  # probably requires re-visiting regularly.
 -  # 2018-07-17
 -  #  https://mozilla.github.io/server-side-tls/ssl-config-
 generator/?server=apache-2.4.25&openssl=1.0.2l&hsts=yes&profile=intermediate
 -  #  https://mozilla.github.io/server-side-tls/ssl-config-
 generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate
 -  SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-
 CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-
 SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-
 AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256
 :ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384
 :ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA
 :ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-
 AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-
 CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
 SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 +  # this is a list that seems suitable as of 2020-03, when running buster
 +  # (Debian 10).  It probably requires re-visiting regularly.
 +  # 2020-03-11
 +  #  https://ssl-
 config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.4
 +  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
 +  SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128
 -GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
 :ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128
 -GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 +  SSLHonorCipherOrder     off

    SSLUseStapling On
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32351#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #33663 [Metrics/Consensus Health]: Check checktest.py related errors shown by our network-health scanners
Next by Author: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF relase notes from FF69 to latest (FF73)
Previous by thread: Re: [tor-bugs] #31223 [Core Tor/Tor]: Research approaches for improving the availability of services under DoS
Next by thread: Re: [tor-bugs] #32351 [Internal Services/Tor Sysadmin Team]: review our ssl ciphers suite
Index(es):
- Author
- Thread