Revise supported ciphersuites

CBC ciphersuites have been under scrutiny because of the many padding
oracle vulnerabilities that keep popping up; it seems that we won't be
able to patch up the inherent wakness of MAC-then-encrypt forever.  They
have been blacklisted by HTTP/2, and recently dropped from Mozilla's
Security/Serverside TLS intermediate compatibility list:
https://wiki.mozilla.org/Security/Server_Side_TLS

This commit removes ECDSA-CBC ciphersuites.  Basically, you can choose a
level of ciphersuite security, using the private-key type as a switch:

For RSA keys, CBC and RSA-key exchange ciphers will be enabled--mostly
matching Mozilla's Old backward compatibility list.

If you use an EC private key, then only ephemeral-key, authenticated
ciphers will be used, along the lines of what Mozilla's Intermediate
compatibility list prescribes.

The order does not match Mozilla's list 100% because in most embedded
systems, the server is going to be the least-capable machine.  So,
chacha20-poly1305 is moved ahead of AES, and the cipher preference is
always given to the server.  Also, DHE ciphers are not used for server.

The client list had the order changed to prioritize authenticated
ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index b7d7629be3cdeba68db461bde3d69dc2d9c217d8..85bbb1c7c9ea18c04ba9bfcbba1e919a72e13c68 100644 (file)
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -86,18 +86,25 @@ static int _urandom(void *ctx, unsigned char *out, size_t len)
        return 0;
 }
 
-#define AES_CIPHERS(v)                                 \
+#define AES_GCM_CIPHERS(v)                             \
        MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256,      \
-       MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384,      \
+       MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384
+
+#define AES_CBC_CIPHERS(v)                             \
        MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA,         \
        MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA
 
+#define AES_CIPHERS(v)                                 \
+       AES_GCM_CIPHERS(v),                             \
+       AES_CBC_CIPHERS(v)
+
 static const int default_ciphersuites_server[] =
 {
        MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-       AES_CIPHERS(ECDHE_ECDSA),
+       AES_GCM_CIPHERS(ECDHE_ECDSA),
        MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-       AES_CIPHERS(ECDHE_RSA),
+       AES_GCM_CIPHERS(ECDHE_RSA),
+       AES_CBC_CIPHERS(ECDHE_RSA),
        AES_CIPHERS(RSA),
        0
 };
@@ -105,11 +112,14 @@ static const int default_ciphersuites_server[] =
 static const int default_ciphersuites_client[] =
 {
        MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-       AES_CIPHERS(ECDHE_ECDSA),
+       AES_GCM_CIPHERS(ECDHE_ECDSA),
        MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-       AES_CIPHERS(ECDHE_RSA),
+       AES_GCM_CIPHERS(ECDHE_RSA),
        MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-       AES_CIPHERS(DHE_RSA),
+       AES_GCM_CIPHERS(DHE_RSA),
+       AES_CBC_CIPHERS(ECDHE_ECDSA),
+       AES_CBC_CIPHERS(ECDHE_RSA),
+       AES_CBC_CIPHERS(DHE_RSA),
        MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
        AES_CIPHERS(RSA),
        MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 3810d6acbb5498c65be563ae31f7cfc444767136..b2df362f9206ee96afa51970924e96af9e3141c5 100644 (file)
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -22,14 +22,16 @@
 #include "ustream-ssl.h"
 #include "ustream-internal.h"
 
-
 /* Ciphersuite preference:
- * - key exchange: prefer ECDHE, then DHE(client only), then RSA
- * - prefer AEAD ciphers:
+ * - for server, no weak ciphers are used if you use an ECDSA key.
+ * - forward-secret (pfs), authenticated (AEAD) ciphers are at the top:
  *     chacha20-poly1305, the fastest in software, 256-bits
  *     aes128-gcm, 128-bits
  *     aes256-gcm, 256-bits
- * - CBC ciphers
+ * - key exchange: prefer ECDHE, then DHE (client only)
+ * - forward-secret ECDSA CBC ciphers (client-only)
+ * - forward-secret RSA CBC ciphers
+ * - non-pfs ciphers
  *     aes128, aes256, 3DES(client only)
  */
 
@@ -38,32 +40,38 @@
                                "TLS13-CHACHA20-POLY1305-SHA256:"       \
                                "TLS13-AES128-GCM-SHA256:"              \
                                "TLS13-AES256-GCM-SHA384:"              \
-                               ecdhe_ciphers
+                               ecdhe_aead_ciphers
 #else
 # define tls13_ciphersuites    "TLS_CHACHA20_POLY1305_SHA256:"         \
                                "TLS_AES_128_GCM_SHA256:"               \
                                "TLS_AES_256_GCM_SHA384"
 
 # define top_ciphers                                                   \
-                               ecdhe_ciphers
+                               ecdhe_aead_ciphers
 #endif
 
-#define ecdhe_ciphers                                                  \
+#define ecdhe_aead_ciphers                                             \
                                "ECDHE-ECDSA-CHACHA20-POLY1305:"        \
                                "ECDHE-ECDSA-AES128-GCM-SHA256:"        \
                                "ECDHE-ECDSA-AES256-GCM-SHA384:"        \
-                               "ECDHE-ECDSA-AES128-SHA:"               \
-                               "ECDHE-ECDSA-AES256-SHA:"               \
                                "ECDHE-RSA-CHACHA20-POLY1305:"          \
                                "ECDHE-RSA-AES128-GCM-SHA256:"          \
-                               "ECDHE-RSA-AES256-GCM-SHA384:"          \
-                               "ECDHE-RSA-AES128-SHA:"                 \
-                               "ECDHE-RSA-AES256-SHA"
+                               "ECDHE-RSA-AES256-GCM-SHA384"
 
-#define dhe_ciphers                                                    \
+#define dhe_aead_ciphers                                               \
                                "DHE-RSA-CHACHA20-POLY1305:"            \
                                "DHE-RSA-AES128-GCM-SHA256:"            \
-                               "DHE-RSA-AES256-GCM-SHA384:"            \
+                               "DHE-RSA-AES256-GCM-SHA384"
+
+#define ecdhe_ecdsa_cbc_ciphers                                                \
+                               "ECDHE-ECDSA-AES128-SHA:"               \
+                               "ECDHE-ECDSA-AES256-SHA"
+
+#define ecdhe_rsa_cbc_ciphers                                          \
+                               "ECDHE-RSA-AES128-SHA:"                 \
+                               "ECDHE-RSA-AES256-SHA"
+
+#define dhe_cbc_ciphers                                                        \
                                "DHE-RSA-AES128-SHA:"                   \
                                "DHE-RSA-AES256-SHA:"                   \
                                "DHE-DES-CBC3-SHA"
@@ -76,11 +84,15 @@
 
 #define server_cipher_list                                             \
                                top_ciphers ":"                         \
+                               ecdhe_rsa_cbc_ciphers ":"               \
                                non_pfs_aes
 
 #define client_cipher_list                                             \
                                top_ciphers ":"                         \
-                               dhe_ciphers ":"                         \
+                               dhe_aead_ciphers ":"                    \
+                               ecdhe_ecdsa_cbc_ciphers ":"             \
+                               ecdhe_rsa_cbc_ciphers ":"               \
+                               dhe_cbc_ciphers ":"                     \
                                non_pfs_aes ":"                         \
                                "DES-CBC3-SHA"