Open rhymeswithmogul opened 3 years ago
tomato42
commented
3 years ago CCM_8 has weak integrity guarantees so we shouldn't enable them by default, those are useful only for specific environments
adding CCM with the full 16 byte tag it probably a good idea
makhomed
commented
3 years ago Related comments from @april about TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256 ciphers:
https://github.com/mozilla/ssl-config-generator/issues/124#issuecomment-770002153
It's not generally enabled by default for most systems, and there is not much reason to enable it by default. People whose clients are embedded systems with low-power ICs that lack crypto acceleration will know to enable it on both ends. This is a small enough group of people to not manually discuss it in a document for general purpose servers.
https://github.com/mozilla/ssl-config-generator/issues/124#issuecomment-770007293
We also don't list CCM because we don't want people going out of their way to enable them when they're rarely needed. It's often not easy to do so, and by listing them it makes it seem mandatory.
So, recommending to enable TLS_AES_128_CCM_SHA256 by default in the Mozilla Server Side TLS document and the SSL Configurator is not a good idea.
The AES-CCM ciphers and ciphersuites are missing from the Mozilla Server Side TLS document and the SSL Configurator. This cipher mode was ratified by the IETF in 2012 in RFC 6655, and are included in recent versions of OpenSSL. According to Wikipedia, they may provide better performance on embedded and low-power devices, and the cipher mode is also used in WPA2 CCMP and Bluetooth Low Energy. Despite poor support by web browsers, they are considered safe, and I feel that they should be added to the list of acceptable ciphers.
TLS 1.3 offers these ciphersuites (available in OpenSSL 1.1.1, but disabled by default):
TLS_AES_128_CCM_SHA256TLS_AES_128_CCM_8_SHA256TLS 1.2 offers these ciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_CCMTLS_ECDHE_ECDSA_WITH_AES_128_CCM_8TLS_ECDHE_ECDSA_WITH_AES_256_CCMTLS_ECDHE_ECDSA_WITH_AES_256_CCM_8TLS_DHE_RSA_WITH_AES_128_CCM_8TLS_DHE_RSA_WITH_AES_256_CCM_8TLS_DHE_RSA_WITH_AES_128_CCMTLS_DHE_RSA_WITH_AES_256_CCM