Closed gstrauss closed 4 years ago
gstrauss
commented
4 years ago Hmmm. It appears that serverPreferredOrder is set to true for "Old", but for some reason was changed to to be false for "Intermediate" and "Modern". This appears to be a bug.
gstrauss
commented
4 years ago In docs/guidelines/latest.json (and docs/guidelines/5.4.json and src/static/guidelines/5.4.json):
"server_preferred_order": false,
should be
"server_preferred_order": true,
for all all configurations: "old", "intermediate", and "modern"
tomato42
commented
4 years ago it's not a bug, the only ciphersuites left in intermediate and modern are PFS ciphersuites, so there's no need to force server order, any cipher selected will be a secure one
and by not doing that, the server picks the cipher the client prefers the most, usually the fastest one (matters most for mobile where Cacha20 can be few times faster than AES-GCM)
gstrauss
commented
4 years ago Thanks @tomato42 . That is useful info. Can this be documented in a comment in the generated configs?
jrchamp
commented
4 years ago It looks like most of the decisions are documented on the website. From the Modern and Intermediate "Rationale" section on https://wiki.mozilla.org/Security/Server_Side_TLS
The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES.
I'm not against adding it to the generated configs, but what separates rationale that should be documented in the configuration and not? Maybe instead, one comment that refers back to the rationale document's home? At least that way, it largely stays up to date.
gstrauss
commented
4 years ago Thank you @jrchamp. On that page, I see for Intermediate and Modern configurations:
Rationale:
All cipher suites are forward secret and authenticated
The cipher suites are all strong and so we allow the client to choose, as they will
know best if they have support for hardware-accelerated AESGIven that, I would like to modify my request:
If someone goes to https://ssl-config.mozilla.org/ there is no indication that "Server Side TLS guidelines" is directly relevant to the contents of the main body of the page. "Server Side TLS guidelines" is linked in the footer of the page under "Resources", below other generic links.
april
commented
4 years ago Configuration files are not the place for rationales. I totally get not immediately understanding why a decision was made, but adding comments like this would balloon config files and most people would not want them.
Configurations should specify the cipher preferences of server should be honored. This is a requirement for Perfect Forward Secrecy (PFS) and has been for many, many years.
I see in the configurator template code for Apache, lighttpd, and nginx (and I presume the rest, too)
{{#if output.serverPreferredOrder}}but I did not see an option in the GUI to enable serverPreferredOrder, so the setting that is recommended by the configurator is the 'false' case, which is the opposite of what should be recommended.I would go as far as to suggest that this should not be an option at all, but that server preference for cipher choice should always be recommended by the Mozilla ssl-config-generator.
If there is agreement, I'll put together a pull request which updates the templates. Thanks.
What is Perfect Forward Secrecy? A Guide for 2020 https://www.cloudwards.net/perfect-forward-secrecy/
Enabling Perfect Forward Secrecy https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
Implementing SSL Perfect Forward Secrecy in NGINX Web-Server https://www.howtoforge.com/ssl-perfect-forward-secrecy-in-nginx-webserver