reevaluate SSL/TLS cipher suite preference order

RESOLVED FIXED in 3.4

Status

P1
normal
RESOLVED FIXED
17 years ago
17 years ago

People

(Reporter: nelson, Assigned: nelson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

With the recent introduction in NSS 3.3 of 5 new ciphersuites using the DHE
key exchange algorithm (KEA) and the forthcoming introduction in NSS 3.4 
of 6 ciphersuites that use the new AES block cipher, it is time to revisit 
the order of preference of the ciphersuites.  The preference order shown 
below is the one I propose to use in NSS 3.4.

The list below is intended to reflect these priorities:

1. SSL3/TLS suites all come before any SSL2 suites, because no SSL2 suite 
   is chosen unless SSL3 and TLS are disabled.

2. Ciphersuites are grouped in order by descending strength of the bulk 
   cipher, with 3-key triple-DES treated as having 112-bit cipher strength.
   Note that some bulk ciphers appear in more than one group, e.g., RC4 is
   used with 128-bit, 56-bit, and 40-bit keys.

3. Among groups of the same strength, preference is given by the key 
   exchange algorithm (KEA) used in this order:  
        Fortezza KEA (combines DH and DHE),
        DHE (both DHE_RSA & DHE_DSS), 
        RSA (domestic - public key size unlimited)
        RSA (export - 1024 bit public key limit)
        RSA (export -  512 bit public key limit)

4. Among suites with the same block cipher strength and the same KEA, 
   preference is given in this order:
        RC4, AES, DES, RC2
   (These may appear in the same group because of 56-bit or 40-bit export
    key exchange)

5. Among suites with the same block cipher strength, KEA and block cipher,
   that differ by server authentication algorithm, (e.g. DHE_RSA and 
   DHE_DSS), preference is given to RSA authentication before DSS auth.

6. The two special "FIPS" SSL3 ciphersuites are each given immediate 
   preference to their non-FIPS SSL3 equivalents.

/* 256-bit */
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,

/* 128-bit */
SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,
TLS_DHE_DSS_WITH_RC4_128_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,

/* 112-bit 3-key 3DES */
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,

/* 80 bit skipjack */
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* KEA + SkipJack */

/* 56-bit DES "domestic" DES cipher suites */
SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_FIPS_WITH_DES_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA,

/* 56-bit export ciphersuites with 1024-bit public key exchange keys */
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,

/* 40-bit export ciphersuites with 512-bit public key exchange keys */
SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,

/* ciphersuites with no encryption */
SSL_FORTEZZA_DMS_WITH_NULL_SHA,
SSL_RSA_WITH_NULL_MD5,

/* SSL2 cipher suites. */
SSL_EN_RC4_128_WITH_MD5,
SSL_EN_RC2_128_CBC_WITH_MD5,
SSL_EN_DES_192_EDE3_CBC_WITH_MD5,  
SSL_EN_DES_64_CBC_WITH_MD5,
SSL_EN_RC4_128_EXPORT40_WITH_MD5,
SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
(Assignee)

Comment 1

17 years ago
The order cited above is now checked in on the trunk. 
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → 3.4
You need to log in before you can comment on or make changes to this bug.