Last Comment Bug 792681 - Change the SSL cipher suites enabled by default
: Change the SSL cipher suites enabled by default
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P2 minor (vote)
: 3.14
Assigned To: Wan-Teh Chang
Depends on:
  Show dependency treegraph
Reported: 2012-09-19 23:23 PDT by Wan-Teh Chang
Modified: 2012-09-26 06:06 PDT (History)
2 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Proposed patch (5.00 KB, patch)
2012-09-19 23:23 PDT, Wan-Teh Chang
rrelyea: review+
Details | Diff | Splinter Review

Description User image Wan-Teh Chang 2012-09-19 23:23:50 PDT
Created attachment 662823 [details] [diff] [review]
Proposed patch

The proposed patch does the following:

1. Disable all the export cipher suites by default.

2. Disable all the DES cipher suites by default.

3. Disable the RSA_FIPS cipher suites by default.

4. Enable all the non-ECC Triple DES cipher suites by default.

5. Enable all the non-ECC AES cipher suites by default.

6. Enable SSL_RSA_WITH_RC4_128_SHA and SSL_RSA_WITH_RC4_128_MD5
   by default.

Before this patch, our default cipher suite list in ClientHello is:

            cipher_suites[9] = {
                (0x0004) SSL3/RSA/RC4-128/MD5
                (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0xfefe) SSL3/RSA-FIPS/DES-CBC/SHA
                (0x0009) SSL3/RSA/DES56-CBC/SHA
                (0x0064) TLS/RSA-EXPORT1024/RC4-56/SHA
                (0x0062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                (0x0003) SSL3/RSA/RC4-40/MD5
                (0x0006) SSL3/RSA/RC2CBC40/MD5

With this patch, our default cipher suite list in ClientHello becomes:

            cipher_suites[11] = {
                (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x0035) TLS/RSA/AES256-CBC/SHA
                (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x0005) SSL3/RSA/RC4-128/SHA
                (0x0004) SSL3/RSA/RC4-128/MD5
                (0x002f) TLS/RSA/AES128-CBC/SHA
                (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
Comment 1 User image Wan-Teh Chang 2012-09-19 23:25:26 PDT
This is the change that we have considered before, for example, in
bug 593080 comment 1.
Comment 2 User image Wan-Teh Chang 2012-09-19 23:39:21 PDT
Criteria I used:

1. Weak cipher suites and the nonstandard RSA_FIPS cipher
suites are disabled by default.

2. The mandatory cipher suites in TLS 1.0, 1.1, and 1.2
are enabled by default. Note: the mandatory cipher suite
in TLS 1.0 was selected to avoid the RSA patent. It is
rarely used in practice.

3. The cipher suites recommended in NIST SP 800-52 are
enabled by default. Note: SP 800-52 was published in
2005, so it is a little out of date. It predated the
availability of ECC cipher suites.

Changes I did not attempt in this patch:

1. ECC cipher suites.

2. Cipher suite reordering: list AES cipher suites before
Camellia and SEED cipher suites.
Comment 3 User image Robert Relyea 2012-09-24 15:08:36 PDT
Comment on attachment 662823 [details] [diff] [review]
Proposed patch

r+ rrelyea
Comment 4 User image Wan-Teh Chang 2012-09-24 17:31:29 PDT
Bob: thanks for the review. Last Friday night I looked into changing
the order of our cipher suites because it cannot be controlled by the
applications. Unfortunately I realized that NSS-based SSL servers can
only select the first supported cipher suite offered by an SSL client.
So our current cipher suite order is necessary for NSS-based SSL servers
to choose a "national" cipher suite without disabling the AES cipher

So, until we add a feature for an NSS-based SSL server to specify its
own cipher suite preference, we can't change the cipher suite order :-(

Patch checked in on the NSS trunk (NSS 3.14).

Checking in ssl3con.c;
/cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v  <--  ssl3con.c
new revision: 1.189; previous revision: 1.188

Note You need to log in before you can comment on or make changes to this bug.