search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.04k stars 2.51k forks source link

Consider removing CBC cipher suites #9202

Open gilles-peskine-arm opened 1 month ago

gilles-peskine-arm commented 1 month ago

TLS ≤1.2 CBC cipher suites are hard to implement securely unless the encrypt-then-MAC (EtM) extension is enabled. They no longer exist in TLS 1.3. They are a significant burden to maintain, because their existence adds a lot of complexity to several functions in the TLS module.

RFC 9325 deprecates CBC cipher suites unless the EtM extension is enabled. Unfortunately, it is not possible to negotiate EtM support cleanly: a client cannot declare that it only accepts CBC cipher suites when EtM is enabled, it can only announce that it supports both, which may result in the server selecting a CBC cipher suite but rejecting the EtM extension, even when the server might have also allowed an AEAD cipher suite.

In 2025, are CBC cipher suites still relevant, or has AEAD (GCM, CCM or ChachaPoly) finally become available everywhere Mbed TLS runs?

(Related: https://github.com/Mbed-TLS/mbedtls/issues/7679 — if we keep them, they might be disabled by default.)

Mailing list thread: https://lists.trustedfirmware.org/archives/list/mbed-tls@lists.trustedfirmware.org/thread/GDEIRA66Y4SEUINHCG2TCJ2NPGL5KJK7/

gilles-peskine-arm commented 1 month ago

CBC cipher suites were relevant for RTE (real-time ethernet) in 2020. Are they still relevant 5 years later?