1244752 - better support for diverse ciphers including AES_256_GCM_SHA384

Status: RESOLVED DUPLICATE of bug 975832

(Core :: Security: PSM, defect)

Description

[Elmar Stellnberger]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160126104524

Steps to reproduce:

visit a web service of the following server: eight.alfahosting-server.de


Actual results:

encryption fell back to AES_256_CBC_SHA.


Expected results:

As viewable via https://www.ssllabs.com/ssltest/analyze.html?d=eight.alfahosting-server.de this server supports TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. I would expect this cipher to be used instead as CBC is known to be unsafe especially in combination with AES_256. Additionally using SHA1 instead of SHA256/384 would be highly recommended.

Comment 1

[Elmar Stellnberger]

I believe the user should be warned when no state of the art encryption can be negotiated for ssl; this would comprise use of CBC, SHA1 and DHE instead of ECDHE (according to https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH); possibly there is even an issue about AES_256 as the AES algorithm has primarily been designed for a key length of 128: 

http://www.heise.de/security/meldung/Einschlaege-bei-AES-256-kommen-naeher-749257.html
http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/

As weak encryption is still better than no encryption it seems unreasonable to me to pester the user with a popup in this case. Nontheless I could imagine the lock in the address bar being displayed either in green, yellow, orange or red.