search

jetty / jetty.project

Eclipse Jetty® - Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more
https://eclipse.dev/jetty
Other
3.82k stars 1.91k forks source link

Investigate if default Cipher Suite should include exclusion for `*_DHE_*` #9534

Open joakime opened 1 year ago

joakime commented 1 year ago

Jetty version(s) Jetty 10 / 11 / 12

Description The DHE cipher suite is undergoing a series of quick succession insecure declarations and minor fixes (increased bit lengths). Should we include *_DHE_* in our default excluded cipher suites?

joakime commented 1 year ago

See https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#key-exchange

joakime commented 1 year ago

I wonder if the combination of DHE + RSA reduces the key length to unacceptable levels?

joakime commented 1 year ago

Looks like all of the standard OpenJDK 17 Cipher Suites are ...

TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

The use of DHE is only with DSS or RSA If we use *_DHE_* then the following are excluded.

TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

If we use *_DHE_RSA_* then this smaller list is excluded

TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Lists from javax.net.ssl.SSLServerSocketFactory.getDefault().getSupportedCipherSuites()

joakime commented 1 year ago

The impact on JDK 20 would be ...

Cipher Suite JDK 20 *_DHE_* *_DHE_RSA_*
TLS_AES_128_GCM_SHA256 - -
TLS_AES_256_GCM_SHA384 - -
TLS_CHACHA20_POLY1305_SHA256 - -
TLS_DHE_DSS_WITH_AES_128_CBC_SHA :x: -
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 :x: -
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 :x: -
TLS_DHE_DSS_WITH_AES_256_CBC_SHA :x: -
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 :x: -
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 :x: -
TLS_DHE_RSA_WITH_AES_128_CBC_SHA :x: :x:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :x: :x:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :x: :x:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA :x: :x:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :x: :x:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :x: :x:
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :x: :x:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - -
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - -
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - -
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - -
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - -
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - -
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - -
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - -
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - -
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - -
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - -
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - -
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - -
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - -
TLS_EMPTY_RENEGOTIATION_INFO_SCSV - -
TLS_RSA_WITH_AES_128_CBC_SHA - -
TLS_RSA_WITH_AES_128_CBC_SHA256 - -
TLS_RSA_WITH_AES_128_GCM_SHA256 - -
TLS_RSA_WITH_AES_256_CBC_SHA - -
TLS_RSA_WITH_AES_256_CBC_SHA256 - -
TLS_RSA_WITH_AES_256_GCM_SHA384 - -