search

tatsuhiro-t / spdylay

The experimental SPDY protocol version 2, 3 and 3.1 implementation in C
http://tatsuhiro-t.github.io/spdylay/
MIT License
603 stars 102 forks source link

ECDHE cipher support #80

Closed moparisthebest closed 10 years ago

moparisthebest commented 10 years ago

I admit I'm no expert on SSL topics, but I'm trying to enable forward secrecy on my website by preferring ECDHE ciphers, honor-cipher-order=yes and no matter if my ciphers are set to any of the following, I still only show the same list of ciphers offered to the client, while all but the first one should show many ECDHE ciphers as well, right?

#ciphers=ECDHE-RSA-AES256-SHA384 AES256-SHA256 RC4 HIGH !MD5 !aNULL !eNULL !3DES !EDH !AESGCM
# for forward secrecy $ openssl ciphers | tr ':' '\n' | grep ECDHE | grep RSA | tr '\n' ' '
#ciphers=ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA AES256-SHA256 RC4 HIGH !MD5 !aNULL !eNULL !3DES !EDH !AESGCM
ciphers=ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA AES256-SHA256 RC4 HIGH !MD5 !aNULL !eNULL
# https://raymii.org/s/tutorials/Pass_the_SSL_Labs_Test_on_Lighttpd_%28Mitigate_the_CRIME_and_BEAST_attack_-_Disable_SSLv2_-_Enable_PFS%29.html
#ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA

The server is an up-to-date Ubuntu 12.04 Precise, with the same results for shrpx 0.3.8 and the current commit in git, freshly compiled. My OpenSSL supports these just fine:

# openssl ciphers 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA AES256-SHA256 RC4 HIGH !MD5 !aNULL !eNULL !3DES !EDH !AESGCM'
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:AES256-SHA256:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:PSK-RC4-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA

Which is what ciphers is currently set to, but you can see no ECDHE ciphers are offered to the client: https://www.ssllabs.com/ssltest/analyze.html?d=moparisthebest.com where as other websites do show it: https://www.ssllabs.com/ssltest/analyze.html?d=fastmail.fm https://www.ssllabs.com/ssltest/analyze.html?d=google.com

I do notice lighttpd has ssl config options like dh-file and ec-curve, maybe shrpx needs them too? http://redmine.lighttpd.net/projects/lighttpd/wiki/docs_ssl

Honestly, I'm not 100% sure if this is an issue with Ubuntu 12.04, spdylay, my keys/certificates, or what else the issue could be, but I think it's probably spdylay.

Any ideas?

tatsuhiro-t commented 10 years ago

Yes, this is spdylay issue. We have to explicitly enable ECDHE ciphers by specifying curve name. I'm also new to this. I'll do some research.

moparisthebest commented 10 years ago

Well it's good to know this is a spdylay issue and that it can be solved! From the lighttpd documentation I linked to, I see this option:

ssl.ec-curve defines the set of elliptic-curve-cryptography domain parameters known as a "named curve" (lighttpd >= 1.4.29 only)

So is that the option we need in spdylay? If so we could probably look at the lighttpd code for the right thing to do with it?

tatsuhiro-t commented 10 years ago

For completeness, the option is desired. The commit 6a413e5 adds ECDH cipher support and its elliptic curve is hard coded P-256 for now, which works just fine today.

tatsuhiro-t commented 10 years ago

REFERENCES:

moparisthebest commented 10 years ago

Excellent, and somewhat of a success, ECDHE ciphers are supported, here is my current cipher list:

ciphers=ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA25 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA6 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA AES256-SHA256 RC4 HIGH !MD5 !aNULL !eNULL

However, as you can see here: https://www.ssllabs.com/ssltest/analyze.html?d=moparisthebest.com

None of the DHE ciphers are supported, I'm thinking it needs some more parameters to support this perhaps like lighttpd's dh-file? Currently lack of DHE ciphers is the only difference between my configuration and this one: https://www.ssllabs.com/ssltest/analyze.html?d=fastmail.fm&s=66.111.4.55

And it looks like there are still a decent number of browsers that would take DHE over RC4 if it was available, but can't take ECDHE. Any thoughts?

tatsuhiro-t commented 10 years ago

Well, I thought you want ECDHE. And yes, for DHE we need additional parameters. It seems google.com has this trend too.

moparisthebest commented 10 years ago

You definitly added ECDHE cipher support, which is indeed what I created this for. I didn't realize DHE was all that different until I ran it though, sorry about that. Would you rather I create a new issue or just keep this one?

tatsuhiro-t commented 10 years ago

I acknowledged DHE support request, so just keep this issue open.

tatsuhiro-t commented 10 years ago

OK, DHE cipher suites support added in 3843312 Please read the commit message to know how to use.

moparisthebest commented 10 years ago

Awesome, DHE ciphers are now supported as well, which when used in combination with ECDHE ciphers allows users of shrpx to provide forward secrecy to every client that currently supports forward secrecy:

https://www.ssllabs.com/ssltest/analyze.html?d=moparisthebest.com

For anyone interested I created the dhparams.pem file just as the commit message mentioned, and my ciphers list looks like this:

ciphers=ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA25 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA6 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA AES256-SHA256 RC4 HIGH !MD5 !aNULL !eNULL

As far as the rating goes, it did drop my 'key exchange' rating down from 100 to 80, though I'm not sure why yet.

As far as I'm concerned this issue is resolved, thanks much!

tatsuhiro-t commented 10 years ago

It seems that ssllabs checks the key size used in key agreement. With 1024bit DH parameters, DH key size is also 1024bit. Without DHE-RSA, your 4096bit server public key gets highest rating, but with DHE-RSA, key size is down to 1024, so the down rating.