As [discussed on freeipa-devel], the default mod_nss cipher suite is getting obsolete and http://www.redhat.com/archives/freeipa-devel/2016-January/msg00095.html cause browser warnings or bad marks in SSL certificate quality test suites.
#4431 mentions updating the cipher suite, but that is a bigger task that may not be done in the next release. It would be better to simply update the cipher suite list (like we did with 389-ds-base in #4395) in nss.conf.
nss.conf
Alexander gets an A- from SSLLabs using this configuration:
NSSCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
Held back due to lack of PFS but adding some EC ciphers will address that.
I've written a small Python script that parses mod_nss' cipher definition and returns a NSSCipherSuite based on some rules. The script rules out weak cipher suites with e.g. MD5, RC4, export grade encryption and NULL encryption/authentication.
With the settings:
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha, +ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdhe_ecdsa_3des_sha, +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256, +ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384, +ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256, +ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+fips_3des_sha, +rsa_3des_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
sslscan shows these accepted cipher suites and protocols:
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA Accepted TLSv1 112 bits DES-CBC3-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS11 112 bits ECDHE-RSA-DES-CBC3-SHA Accepted TLS11 112 bits DES-CBC3-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA Accepted TLS12 112 bits ECDHE-RSA-DES-CBC3-SHA Accepted TLS12 112 bits DES-CBC3-SHA
DES-CBC3 is 3DES in CBC mode.
attachment ciphers.py
All ciphers are disabled by default so you shouldn't need to mark any ciphers as removed (-) unless you just want to be clear.
Good to know, Rob! I've removed -ciphers from the list.
I've tested two cipher strings with SSLLabs.com. Both give an 'A' grade. The first one contains 3DES, the second one AES-only. Without 3DES, IE8 on XP is not supported. In both cases neither IE 6 / XP nor Safari 5.1.9 / OS X 10.6.8 are able to establish a connection.
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+fips_3des_sha,+rsa_3des_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
The test also points to two minor issues:
We send the trust anchor together with the intermediate and leave cert.
test result with 3DES enabled SSLServerTest_ipa.demo1.freeipa_with_3DES.pdf
test result without 3DES SSLServerTest_ipa.demo1.freeipa_without_3DES.pdf
I got some feedback from Hubert Kario. He pointed out that my list contains a couple of unnecessary suites. DH key agreement with fixed parameters isn't used by browsers. AES-CBC with large hash functions are slow and don't have increased security, e.g. AES-256 in CBC mode with SHA-384 as PRF for HMAC.
I'm now down to 14 cipher suites with and without PFS, all combinations of RSA or ephemeral ECDH for key agreement, RSA or ECDSA for authentication, AES (128/256 in GCM or CBC mode) for encryption and SHA-1, SHA-256 or SHA-384 as PRF. Without 3DES there is no cipher suite compatible with IE8 on Windows XP.
TLS_RSA_WITH_AES_256_CBC_SHA
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
The new script contains more detailed comments on algorithm selection and eviction.
attachment nssciphersuite.py
Be aware that the SHA384 ciphers are not available on all distros. An unknown cipher will not cause mod_nss to fail at server start but it will log the failure.
I have posted [PATCH 0030] Modernize mod_nss's cipher suites.
[PATCH 0030] Modernize mod_nss's cipher suites
This change should be release noted in the next release notes, at minimum given we stopped supporting Internet Explorer 8.
Just for the record, on https://en.wikipedia.org/wiki/Internet_Explorer_8, I read:
On January 12, 2016, support for IE8 on all supported Windows operating systems ceased, due to new support policies dictating that only the newest version of IE available for a supported version of Windows is supported. Only Internet Explorer 11 is be supported, except for Windows Vista and Windows Server 2008, where only Internet Explorer 9 is supported, and Windows Server 2012, where only Internet Explorer 10 is supported.
More official information: https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/
master:
ipa-4-3:
Metadata Update from @mkosek: - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.3.1
Login to comment on this ticket.