sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Recommended HKPS protocols & ciphersuites?

From: Pete Stephenson
Subject: Re: [Sks-devel] Recommended HKPS protocols & ciphersuites?
Date: Sun, 03 Aug 2014 23:13:39 +0200
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 
On 8/3/2014 10:55 PM, David Benfell wrote:
> On Sun, Aug 03, 2014 at 09:29:49PM +0200, Pete Stephenson wrote:
>> Hi all,
>>
>> For those running HKPS-enabled servers in the pool, what protocols and
>> ciphersuites do you use?
>>
>> I'd hope that it'd be safe these days to disable SSLv2. How about SSLv3?
>> RC4?
>>
>> I'd like to provide a reasonable fallback to older clients that don't
>> support modern ciphers, but without jeopardizing the security of modern
>> clients that do.
>>
> Here is my incantation for Apache (I think this will work in both 2.2
> and 2.4, but I don't remember). It gets me an A+ rating on the Qualys
> SSL test:
> 
>         SSLEngine on
> 
>         SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.2
>         SSLCipherSuite
> EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:HIGH:!MEDIUM:!LOW:!SSLv2:!aNULL:!PSK:SSLv3:!3DES

That's a good selection. You might also consider !NULL, !EXP, and !SRP
-- with openssl 1.0.1f on my system, your list includes those options.
Null and export ciphers are always a bad thing.

The current recommendation from Qualys[1] is to use TLSv1/1.1/1.2 with:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

However, that recommendation is primarily for web browsers. I have no
idea what SSL/TLS capabilities are available to HKPS-capable OpenPGP
clients, so I don't know if leaving out SSLv3 is a problem, if old
clients support PFS, or if it'd be necessary to include 3DES/RC4 as a
fallback.

Very limited (2-3 queries) testing suggests that gnupg-curl on Debian
systems supports DHE-RSA-AES256-SHA256 with TLSv1.2. Another query is
from a random user and their OpenPGP client supports TLSv1.2 and
ECDHE-RSA-AES256-GCM-SHA384; not even modern web browsers support that
yet, so I'm impressed.

> However, I have been mean about some older clients. I don't care about
> Yandex, for example, and don't know why they don't update their SSL
> capabilities.

I take a similar approach on my websites: all modern browser support
TLSv1 or higher and DHE/ECDHE. I see no reason to support old browsers
in general, but there are a lot of legacy OpenPGP clients out there that
I don't want to shut out.

Cheers!
-Pete
P.S. I sent you a message a few days ago regarding peering but your
server is bouncing it with "450 4.3.2 Service currently unavailable".

[1]
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]