sfs8 pt1

Ian Batten ukcrypto at chiark.greenend.org.uk
Wed, 24 Sep 2008 16:33:15 +0100 

>
> I don't see that as a valid argument. The reason that a server  
> chooses to accept some less secure protocols as well as the most  
> secure ones would be that some ancient browsers might only offer the  
> less secure ones, and better to use those than nothing at all.


Surely, when you decided that you needed https, you had in mind (or,  
better, in a document) a list of the criteria which led you to that  
decision.  And from that, you should be able to figure out the  
acceptable cipher suites.   If the cipher that the client proposes  
doesn't meet those criteria, then it may as well be in plaintext, and  
that _isn't_ better than nothing at all (``we'd like 3DES, but hey, if  
you can only do ROT26, fire away'').  PFS will, presumably, be a  
factor in those criteria.

But if you want PFS, I _think_ you may struggle to get things working  
with an iPhone.  I believe that the key factor for PFS in the openssl  
CipherSuite is kEDH.  A webserver running with

SSLCipherSuite kEDH

ie ignore strength and everything else, but it must have EDH (see  
below for list of the wide range of options that provides) won't sync  
up with an iPod Touch running the latest bits.  So that's where you  
have to make choices: PFS, or the device in your users' pocket?

I don't regard PFS as necessary for mail.batten.eu.org: as the mail is  
stored en clair within its Cyrus instance, someone who has broken in  
probably doesn't need to break old sessions anyway.  So I just use  
``HIGH:MEDIUM:!3DES'' for Cyrus, Sendmail and Apache2, which ensures  
decent keylengths while avoiding burning too much of the server's  
CPU.  By setting that for all the major applications I at least have a  
consistent policy.

ian

ian


> -bash-3.00$ openssl ciphers -v kEDH:@STRENGTH
> ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)   
> Mac=SHA1
> DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)   
> Mac=SHA1
> DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)   
> Mac=SHA1
> EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168)  
> Mac=SHA1
> EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168)  
> Mac=SHA1
> ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168)  
> Mac=SHA1
> ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)   
> Mac=SHA1
> DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)   
> Mac=SHA1
> DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)   
> Mac=SHA1
> DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)   
> Mac=SHA1
> ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)   
> Mac=MD5
> EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS  Enc=RC4(56)    
> Mac=SHA1 export
> EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS  Enc=DES(56)    
> Mac=SHA1 export
> EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)    
> Mac=SHA1
> EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)    
> Mac=SHA1
> ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)    
> Mac=SHA1
> EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)    
> Mac=SHA1 export
> EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)    
> Mac=SHA1 export
> EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)    
> Mac=SHA1 export
> EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)    
> Mac=MD5  export
>