I'm running a server that requires a blacklist of weak cipher suites.
So which of the following are weak? http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
+4
A:
Why do you need to exclude the bad ones? Why not only include the good ones?
For starters, I'd follow the NSA Suite B guidelines, specifically RFC 5430
Kevin
2010-02-10 15:49:19
@John Smith: agreeing with Kevin here. For anything related to security, disable everything by default and then whitelist what you want to allow. That's how good firewall are configured too: deny everything by default, "whitelist" authorized traffic.
Webinator
2010-02-10 15:51:57
Jetty uses a black list up until version 6.1.21 so I'm stuck for now lol
John Smith
2010-02-10 15:54:57
@John We get around that by overriding the SslSocketConnector#createFactory() method to provide a pre-configured SSLServerSocketFactory that will create sockets with the correct cipher suites enabled on them.
Kevin
2010-02-10 15:58:38
I know but I can't change that right now so it's all good. If I understand the RFC correctly the only two viable cipher suites supported by JAVA are: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
John Smith
2010-02-10 16:06:59
You can get the default listing of enabled cipher suites from here. Anything that is in there but not in RFC 5430 can be considered "weak" I suppose: http://java.sun.com/javase/6/docs/api/javax/net/ssl/SSLServerSocketFactory.html#getDefaultCipherSuites%28%29
Kevin
2010-02-10 16:10:20
http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider <-- Here is the list. Basically 2 cipher suites are considered strong.
John Smith
2010-02-10 16:13:55
+2
A:
Blacklist
I think the anonymous modes are unequivocally useless:
SSL_DH_anon_WITH_RC4_128_MD5TLS_DH_anon_WITH_AES_128_CBC_SHATLS_DH_anon_WITH_AES_256_CBC_SHASSL_DH_anon_WITH_3DES_EDE_CBC_SHASSL_DH_anon_WITH_DES_CBC_SHATLS_ECDH_anon_WITH_RC4_128_SHATLS_ECDH_anon_WITH_AES_128_CBC_SHATLS_ECDH_anon_WITH_AES_256_CBC_SHATLS_ECDH_anon_WITH_3DES_EDE_CBC_SHASSL_DH_anon_EXPORT_WITH_RC4_40_MD5SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHATLS_ECDH_anon_WITH_NULL_SHA
As are the deliberately hobbled "export" suites:
SSL_RSA_EXPORT_WITH_RC4_40_MD5SSL_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHATLS_KRB5_EXPORT_WITH_RC4_40_SHATLS_KRB5_EXPORT_WITH_RC4_40_MD5TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHATLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
I assume you want encryption, which rules out the "null" cipher:
SSL_RSA_WITH_NULL_MD5SSL_RSA_WITH_NULL_SHATLS_ECDH_ECDSA_WITH_NULL_SHATLS_ECDH_RSA_WITH_NULL_SHATLS_ECDHE_ECDSA_WITH_NULL_SHATLS_ECDHE_RSA_WITH_NULL_SHA
I don't think the HMAC algorithm allows the known weaknesses of MD5 to be exploited, but when in doubt, throw it out:
SSL_RSA_WITH_RC4_128_MD5TLS_KRB5_WITH_RC4_128_MD5TLS_KRB5_WITH_3DES_EDE_CBC_MD5TLS_KRB5_WITH_DES_CBC_MD5
Key size for the DES is too small:
SSL_RSA_WITH_DES_CBC_SHASSL_DHE_RSA_WITH_DES_CBC_SHASSL_DHE_DSS_WITH_DES_CBC_SHATLS_KRB5_WITH_DES_CBC_SHA
The Kerberos exchange is only applicable if you are running Kerberos, which is unlikely, and you would know it if you were:
TLS_KRB5_WITH_RC4_128_SHATLS_KRB5_WITH_3DES_EDE_CBC_SHA
I usually throw out RC4, just because it isn't necessary, but this one is debatable.
SSL_RSA_WITH_RC4_128_SHATLS_ECDH_ECDSA_WITH_RC4_128_SHATLS_ECDH_RSA_WITH_RC4_128_SHATLS_ECDHE_ECDSA_WITH_RC4_128_SHATLS_ECDHE_RSA_WITH_RC4_128_SHA
The AES is strong enough with 128-bit keys, and there are some results against 256-bit keys that could be extended in the future:
TLS_RSA_WITH_AES_256_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLS_ECDH_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHA
Elliptical Curve algorithms might be the best key agreement there is, but unfortunately, putting them into practice is difficult. Interoperability problems around named curve support in Java are common, and real CA's are not yet issuing EC certs. So, sadly, the EC algorithms aren't easily implemented yet:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Whitelist
Are you sure that Jetty doesn't support a white list? That is different from every other SSL setup I've seen. Usually, not only do you provide a whitelist, but the list is ordered, with the most preferred algorithms first. You likely have an RSA certificate, in which case I'd order the residue like this:
TLS_DHE_RSA_WITH_AES_128_CBC_SHASSL_DHE_RSA_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHASSL_RSA_WITH_3DES_EDE_CBC_SHA
If you have a DSA certificate, the list would look like this:
TLS_DHE_DSS_WITH_AES_128_CBC_SHASSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
erickson
2010-02-10 16:49:32
A:
Pretty sure Jetty is blacklist.
http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites http://jira.codehaus.org/browse/JETTY-1164 <-- I'm using slightly older version lol
Anyways my issue is solved. Thanks
John Smith
2010-02-12 14:54:15