[Openstack-security] [Bug 1243534] [NEW] contradiction on default cryptography ciphers
Jeffrey Walton
noloader at gmail.com
Sat Jan 4 19:34:44 UTC 2014
> Chapter 15: 'ciphers = "HIGH:!aNULL:!eNULL:!DES:!3DES"'
The simplest string to use would probably be:
"HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM"
RC4 is not appropriate for use in TLS. See "On the Security of RC4 in
TLS and WPA", cr.yp.to/streamciphers/rc4biases-20130708.pdf.
MD5 is not appropriate for use in TLS if not used as a PRF. Its OK to
use it in the PRF, but it should not be used in MACs and Signatures.
2-key TDEA (TDEA) provides 80-bits of security (RSA 1024 equivalent)
and should no longer be used. 3-key TDEA (TDEA) provides 112-bits of
security (RSA 2048 equivalent) and is OK for use. SSL/TLS uses the
later and requires 24-bytes of key material (that's the 3-key
variant), so 3DES is OK. See RFC 2246 and friends.
If you want to ensure the ephemeral key exchanges are preferred over
RSA transport, then the following might be appropriate (ephemeral key
exchanges provide forward secrecy):
"kEECDH:kEDH:kRSA:HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM"
Protocols are still an open question since they get enabled/disabled
through SSL_CTX_set_options. SSLv2 must be disabled, and SSLv3 should
be disabled.
Jeff
On Thu, Dec 19, 2013 at 9:08 PM, Launchpad Bug Tracker
<1243534 at bugs.launchpad.net> wrote:
> Tom Fifield (fifieldt) has assigned this bug to you for openstack-manuals:
>
> Chapter 13: 'As this book does not intend to be a thorough reference on
> cryptography we do not wish to be prescriptive about what specific
> algorithms or cipher modes you should enable or disable in your
> OpenStack services.'
>
> Chapter 15: 'ciphers = "HIGH:!aNULL:!eNULL:!DES:!3DES"'
>
>
> -----------------------------------
> Built: 2013-10-22T21:22:10 00:00
> git SHA: 72ee6fa1cfcd6a1ae2d86d78a6ac3f8709f5aaf4
> URL: http://docs.openstack.org/security-guide/content/ch017_threat-models-confidence-and-confidentiality.html
> source File: file:/home/jenkins/workspace/openstack-security-guide/doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml
> xml:id: ch017_threat-models-confidence-and-confidentiality
>
> ** Affects: openstack-manuals
> Importance: Low
> Assignee: OpenStack Security Group (openstack-ossg)
> Status: Confirmed
>
>
> ** Tags: sec-guide
> --
> contradiction on default cryptography ciphers
> https://bugs.launchpad.net/bugs/1243534
> You received this bug notification because you are a member of OpenStack Security Group, which is a bug assignee.
More information about the Openstack-security
mailing list