Closed Bug 1342272 Opened 9 years ago Closed 9 years ago

TLS 1.3 non FS cipher prefered

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sivmu, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (compatible) Build ID: 20170223030204 Actual results: When Using TLS 1.3 (or firefox 54 nightly), some non forward security ciphers are prefered during negotiation as shown here: https://www.ssllabs.com/ssltest/viewMyClient.html Expected results: Ciphers without forware security should only be chosen last.
Version: 54 Branch → 52 Branch
Component: Untriaged → Security: PSM
Product: Firefox → Core
This is the list I'm seeing: TLS_AES_128_GCM_SHA256 (0x1301) Forward Secrecy 128 TLS_CHACHA20_POLY1305_SHA256 (0x1303) Forward Secrecy 256 TLS_AES_256_GCM_SHA384 (0x1302) Forward Secrecy 256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Forward Secrecy 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Forward Secrecy 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 As far as I can tell, all forward secrecy cipher suites are preferred over non-forward secrecy ones. Are you getting different results?
Flags: needinfo?(sivmu)
TLS_AES_128_GCM_SHA256 (0x1301) Forward Secrecy 128 TLS_CHACHA20_POLY1305_SHA256 (0x1303) Forward Secrecy 256 TLS_AES_256_GCM_SHA384 (0x1302) Forward Secrecy 256 Those are marked as forward secrecy but according to the Calomel SSL Validation add on they are not. And I also see no information about a key exchange algorithm, therefore assuming they use the server rsa key without forward security.
(In reply to sivmu from comment #2) > TLS_AES_128_GCM_SHA256 (0x1301) Forward Secrecy 128 > TLS_CHACHA20_POLY1305_SHA256 (0x1303) Forward Secrecy 256 > TLS_AES_256_GCM_SHA384 (0x1302) Forward Secrecy 256 > > Those are marked as forward secrecy but according to the Calomel SSL > Validation add on they are not. It's just Calomel SSL Validation is out of date. Please contact the add-on author. > And I also see no information about a key > exchange algorithm, therefore assuming they use the server rsa key without > forward security. TLS 1.3 does not negotiate a key exchange algorithm using cipher suites. The key exchange algorithm is negotiated separately. Also, TLS 1.3 only supports key exchange algorithms that are forward secret (ECDHE and FFDHE).
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Thanks for the info and sorrz for the false alarm. I kinda expected the kez exchange algo to be listed anyway. How can I figure out what key exchange algorithm is used with TLS 1.3?
Currently we have no UI. Bug 1304923 tracks the UI support.
With TLS 1.3 enabled, I see TLS_AES_128_GCM_SHA256 (0x1301) Forward Secrecy 128 TLS_CHACHA20_POLY1305_SHA256 (0x1303) Forward Secrecy 256 TLS_AES_256_GCM_SHA384 (0x1302) Forward Secrecy 256 at the top with it disabled, these three ciphers are also disabled. Why is that?
Because those cipher suites are dedicated to TLS 1.3. And please ask such questions in a support forum, not here.
You need to log in before you can comment on or make changes to this bug.