Support for configurable TLS ciphers

[pbryan]

As various TLS ciphers are phased-out due to recognized and generally accepted weaknesses, it's important to be able to exclude them from the advertised and allowed ciphers during TLS negotiation. It's a common feature in other TLS implementations to configure allowed/disallowed cipher suites; the request here is to allow the same capability in CFSSL.

[fhossain]

Added pull request for implement this https://github.com/cloudflare/cfssl/pull/1024

[Lekensteyn]

If the goal is to ensure more secure ciphers, I don't think that ciphers should become configurable. Instead, only select secure ciphers by. Go does a good job to avoid the worst ciphers (RC4 is disabled by default), but 3DES is still an option.

I think it would be better not to expose the option and instead select a small list of safe ciphers. Ciphers with ECDSA/RSA (to support either certificates), combined with ECDHE only (forward secrecy), and AES128-GCM, AES256-GCM and ChaCha20-Poly1305. TLS 1.3 ciphers are not configurable, so no additional work is needed to limit those.

While reviewing the TLS configuration, the minimum TLS version is already set to 1.2 for the client: https://github.com/cloudflare/cfssl/blob/2001f384ec4fea8e6e648cd89d07bda9bd7568c1/transport/client.go#L91-L98

The minimum TLS version for the server is still TLS v1.0 which should probably be changed to 1.2 by default: https://github.com/cloudflare/cfssl/blob/e04a6ddc69119c6ded64e0f61f76150066040105/cli/config.go#L95

(my personal opinion)

[pbryan]

Changing some of the defaults will help, but I fear it will fall behind various imposed security requirements. With a change like #1024, an organization can constrain what ciphers are available based on their own security requirments.

[fhossain]

Yes, bumping min-tls-version to 1.2 avoids the weaker protocols but even with 1.2 I can see 3DES being an option that we are trying to avoid.

[fhossain]

@Lekensteyn I like the idea of exposing a small set of safe ciphers but it has two problems 1) it breaks the current default, so I am afraid there would be some installation out there that will get negatively affected with upgrade 2) without an option to change the smaller set of ciphers in a configurable way, people affected by 1, would be exposed to a tougher upgrade challenge. Why not make the default secure but allow users to override it with a different setting as it is now in the pull request. The minimum TLS version for the server being TLS v1.0 is actually the golang default. We can change the default in the app as there is a way for apps to lower it if they really needed to.

[jauderho]

I support having a secure default with an override flag to downgrade/enable less secure configs.

[adnankoroth]

Where can I find the current list of ciphers present in the version. Any help would be great.

[nickysemenza]

Where can I find the current list of ciphers present in the version. Any help would be great.

@adnankoroth in the latest version go, for example: https://golang.org/src/crypto/tls/cipher_suites.go