Closed Bug 792681 Opened 12 years ago Closed 12 years ago

Change the SSL cipher suites enabled by default

Categories

(NSS :: Libraries, defect, P2)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

Details

Attachments

(1 file)

Attached patch Proposed patchSplinter Review
The proposed patch does the following:

1. Disable all the export cipher suites by default.

2. Disable all the DES cipher suites by default.

3. Disable the RSA_FIPS cipher suites by default.

4. Enable all the non-ECC Triple DES cipher suites by default.

5. Enable all the non-ECC AES cipher suites by default.

6. Enable SSL_RSA_WITH_RC4_128_SHA and SSL_RSA_WITH_RC4_128_MD5
   by default.

Before this patch, our default cipher suite list in ClientHello is:

            cipher_suites[9] = {
                (0x0004) SSL3/RSA/RC4-128/MD5
                (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0xfefe) SSL3/RSA-FIPS/DES-CBC/SHA
                (0x0009) SSL3/RSA/DES56-CBC/SHA
                (0x0064) TLS/RSA-EXPORT1024/RC4-56/SHA
                (0x0062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                (0x0003) SSL3/RSA/RC4-40/MD5
                (0x0006) SSL3/RSA/RC2CBC40/MD5
            }

With this patch, our default cipher suite list in ClientHello becomes:

            cipher_suites[11] = {
                (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x0035) TLS/RSA/AES256-CBC/SHA
                (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x0005) SSL3/RSA/RC4-128/SHA
                (0x0004) SSL3/RSA/RC4-128/MD5
                (0x002f) TLS/RSA/AES128-CBC/SHA
                (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
            }
Attachment #662823 - Flags: review?(rrelyea)
This is the change that we have considered before, for example, in
bug 593080 comment 1.
Criteria I used:

1. Weak cipher suites and the nonstandard RSA_FIPS cipher
suites are disabled by default.

2. The mandatory cipher suites in TLS 1.0, 1.1, and 1.2
are enabled by default. Note: the mandatory cipher suite
in TLS 1.0 was selected to avoid the RSA patent. It is
rarely used in practice.

3. The cipher suites recommended in NIST SP 800-52 are
enabled by default. Note: SP 800-52 was published in
2005, so it is a little out of date. It predated the
availability of ECC cipher suites.

Changes I did not attempt in this patch:

1. ECC cipher suites.

2. Cipher suite reordering: list AES cipher suites before
Camellia and SEED cipher suites.
Comment on attachment 662823 [details] [diff] [review]
Proposed patch

r+ rrelyea
Attachment #662823 - Flags: review?(rrelyea) → review+
Bob: thanks for the review. Last Friday night I looked into changing
the order of our cipher suites because it cannot be controlled by the
applications. Unfortunately I realized that NSS-based SSL servers can
only select the first supported cipher suite offered by an SSL client.
So our current cipher suite order is necessary for NSS-based SSL servers
to choose a "national" cipher suite without disabling the AES cipher
suites.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/sslenum.c&rev=1.19&mark=19-22#13

So, until we add a feature for an NSS-based SSL server to specify its
own cipher suite preference, we can't change the cipher suite order :-(

Patch checked in on the NSS trunk (NSS 3.14).

Checking in ssl3con.c;
/cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v  <--  ssl3con.c
new revision: 1.189; previous revision: 1.188
done
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.