[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #32351 [Internal Services/Tor Sysadmin Team]: review our ssl ciphers suite

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #32351 [Internal Services/Tor Sysadmin Team]: review our ssl ciphers suite
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 11 Mar 2020 20:27:58 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 11 Mar 2020 16:28:08 -0400
In-reply-to: <047.8f1277089461a9405eef24e520043f1b@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.8f1277089461a9405eef24e520043f1b@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, blackhole@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#32351: review our ssl ciphers suite
-------------------------------------------------+---------------------
 Reporter:  anarcat                              |          Owner:  tpa
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+---------------------

Comment (by anarcat):

 i believe weasel made this change in our global apache config and fixed
 the puppetmaster so it also respects that setting.

 the number of remaining TLS setups requiring a review is currently
 undocumented, but it also includes, at least:

  * ipsec?
  * haproxy (configured in
 `modules/roles/templates/onionoo/haproxy.cfg.erb` but maybe other places)
  * nginx (`modules/profile/manifests/nginx.pp`,
 `modules/profile/files/gitlab/gitlab.torproject.org.conf`)
  * postfix (currently the default on eugeni, watch out for the results of
 #33413 here before making any changes)


 filtered output of puppet grep:

 {{{
 modules/profile/files/gitlab/gitlab.torproject.org.conf:  ssl_ciphers
 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-
 AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-
 AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-
 SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-
 CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 modules/profile/manifests/nginx.pp:    ssl_ciphers           => 'ECDHE-
 ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128
 -GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384
 :ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-
 SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-
 AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
 AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-
 AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
 :ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-
 CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
 SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-
 CBC3-SHA:!DSS', # lint:ignore:140chars
 modules/roles/templates/onionoo/haproxy.cfg.erb:        ssl-default-bind-
 ciphers
 ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 }}}

 postfix does not have an explicitely configured cipherlist, so it uses:

 {{{
 smtpd_tls_ciphers = medium
 smtpd_tls_mandatory_ciphers = medium
 tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
 }}}

 which means, on Debian stretch:

 {{{
 ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:AECDH-
 AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES256-GCM-
 SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-
 AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-
 CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-
 ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-
 AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-
 AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384
 :DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ECDHE-ECDSA-
 AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-
 RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-
 PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305
 :ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:AES256
 -GCM-SHA384:AES256-CCM8:AES256-CCM:PSK-AES256-GCM-SHA384:PSK-
 CHACHA20-POLY1305:PSK-AES256-CCM8:PSK-
 AES256-CCM:AES256-SHA256:CAMELLIA256-SHA256:ECDHE-PSK-AES256-CBC-SHA384
 :ECDHE-PSK-AES256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA
 :SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384
 :RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:ECDHE-PSK-
 CAMELLIA256-SHA384:RSA-PSK-CAMELLIA256-SHA384:DHE-PSK-
 CAMELLIA256-SHA384:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA384:PSK-
 AES256-CBC-SHA:PSK-CAMELLIA256-SHA384:ADH-AES128-GCM-SHA256:ADH-
 AES128-SHA256:ADH-CAMELLIA128-SHA256:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-
 CAMELLIA128-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
 :DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-
 AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM
 :ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256
 :DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-
 CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256
 :ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-
 AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:RSA-PSK-AES128
 -GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-
 AES128-CCM:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:PSK-AES128-GCM-SHA256
 :PSK-AES128-CCM8:PSK-AES128-CCM:AES128-SHA256:CAMELLIA128-SHA256:ECDHE-
 PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA
 :SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256
 :DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA
 :ECDHE-PSK-CAMELLIA128-SHA256:RSA-PSK-CAMELLIA128-SHA256:DHE-PSK-
 CAMELLIA128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA256:PSK-
 AES128-CBC-SHA:PSK-CAMELLIA128-SHA256:ADH-SEED-SHA:DHE-RSA-SEED-SHA:DHE-
 DSS-SEED-SHA:SEED-SHA
 }}}

 wheee...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32351#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #15799 [Metrics/Onionoo]: Find out why different instances may report different timestamps in last_changed_address_or_port
Next by Author: Re: [tor-bugs] #28005 [Applications/Tor Browser]: Officially support onions in HTTPS-Everywhere
Previous by thread: Re: [tor-bugs] #32351 [Internal Services/Tor Sysadmin Team]: review our ssl ciphers suite
Next by thread: Re: [tor-bugs] #32351 [Internal Services/Tor Sysadmin Team]: review our ssl ciphers suite
Index(es):
- Author
- Thread