From 5755fc099f883293530406c423bda47414834057 Mon Sep 17 00:00:00 2001 From: Mike MacCana Date: Fri, 8 May 2015 19:54:34 +0100 Subject: [PATCH] tls: update default ciphers to use gcm and aes128 AES-GCM or CHACHA20_POLY1305 ciphers must be used in current version of Chrome to avoid an 'obsolete cryptography' warning. Prefer 128 bit AES over 192 and 256 bit AES considering attacks that specifically affect the larger key sizes but do not affect AES 128. PR-URL: https://github.com/iojs/io.js/pull/1660 Reviewed-By: Fedor Indutny Reviewed-By: Shigeki Ohtsu Reviewed-By: Roman Reiss --- doc/api/tls.markdown | 41 +++++++++++++++++++++++++++++++++-------- lib/tls.js | 9 +++++++-- 2 files changed, 40 insertions(+), 10 deletions(-) diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index a44d4dd6615a06..657f690343ff03 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -141,14 +141,37 @@ automatically set as a listener for the [secureConnection][] event. The - `ciphers`: A string describing the ciphers to use or exclude, seperated by `:`. The default cipher suite is: - ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256: - DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256: - HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA - - The default cipher suite prefers ECDHE and DHE ciphers for Perfect Forward - secrecy, while offering *some* backward compatibiltity. Old clients which - rely on insecure and deprecated RC4 or DES-based ciphers (like Internet - Explorer 6) aren't able to complete the handshake with the default + ECDHE-RSA-AES128-GCM-SHA256: + ECDHE-ECDSA-AES128-GCM-SHA256: + ECDHE-RSA-AES256-GCM-SHA384: + ECDHE-ECDSA-AES256-GCM-SHA384: + DHE-RSA-AES128-GCM-SHA256: + ECDHE-RSA-AES128-SHA256: + DHE-RSA-AES128-SHA256: + ECDHE-RSA-AES256-SHA384: + DHE-RSA-AES256-SHA384: + ECDHE-RSA-AES256-SHA256: + DHE-RSA-AES256-SHA256: + HIGH: + !aNULL: + !eNULL: + !EXPORT: + !DES: + !RC4: + !MD5: + !PSK: + !SRP: + !CAMELLIA + + The default cipher suite prefers GCM ciphers for [Chrome's 'modern + cryptography' setting] and also prefers ECDHE and DHE ciphers for Perfect + Forward secrecy, while offering *some* backward compatibiltity. + + 128 bit AES is preferred over 192 and 256 bit AES in light of [specific + attacks affecting larger AES key sizes]. + + Old clients that rely on insecure and deprecated RC4 or DES-based ciphers + (like Internet Explorer 6) aren't able to complete the handshake with the default configuration. If you absolutely must support these clients, the [TLS recommendations] may offer a compatible cipher suite. For more details on the format, see the [OpenSSL cipher list format documentation]. @@ -784,6 +807,8 @@ The string representation of the local IP address. The numeric representation of the local port. [OpenSSL cipher list format documentation]: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT +[Chrome's 'modern cryptography' setting]: http://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome +[specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html [BEAST attacks]: http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html [tls.createServer]: #tls_tls_createserver_options_secureconnectionlistener [tls.createSecurePair]: #tls_tls_createsecurepair_context_isserver_requestcert_rejectunauthorized diff --git a/lib/tls.js b/lib/tls.js index 3ae7a8f58b11a1..10c82860ba826e 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -15,12 +15,17 @@ exports.CLIENT_RENEG_WINDOW = 600; exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024; exports.DEFAULT_CIPHERS = [ + 'ECDHE-RSA-AES128-GCM-SHA256', + 'ECDHE-ECDSA-AES128-GCM-SHA256', + 'ECDHE-RSA-AES256-GCM-SHA384', + 'ECDHE-ECDSA-AES256-GCM-SHA384', + 'DHE-RSA-AES128-GCM-SHA256', + 'ECDHE-RSA-AES128-SHA256', + 'DHE-RSA-AES128-SHA256', 'ECDHE-RSA-AES256-SHA384', 'DHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA256', 'DHE-RSA-AES256-SHA256', - 'ECDHE-RSA-AES128-SHA256', - 'DHE-RSA-AES128-SHA256', 'HIGH', '!aNULL', '!eNULL',