Is cipher name order important in TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList?

Question

Is cipher name order important in TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList?

I restrict ciphers that my web service only allows these TLS 1.x ciphers:

<s> TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_IDEA_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
C>

Refresh in response to Dave Thompson comment:

Now I take the ciphers created from this SO answer , in that order.
Since we are currently using Delphi XE2 / Indy 10.5.8.0/OpenSSL 1.0.2f, I do not use ECDHE ciphers, which is too cumbersome to implement with these software versions .
In addition, we still enable TLS 1.0.
After updating Delphi Seattle 10, we will disable TLS 1.0 and return the ECDHE ciphers.

This leaves:

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0xc4) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)

Converted to OpenSSL names (according to OpenSSL font name mapping for RFC names ):

 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA256 - cannot find the equivalent for 0xc4 - anyone? - DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA256

The order in which the server offers ciphers is important, but can I control this order? CipherList is a string property containing these names combined with '+':

 TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList := 'DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SH:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA256';

If so, what is the recommended order?

Please note that since my web service is a server, I set SSLOptions.Mode := sslmServer .

* These are the ones that nmap script ssl-enum-ciphers evaluates with "A"

+4

ssl delphi openssl indy

Jan doggen Apr 01 '16 at 10:21

source share

2 answers

jww · Answer 1 · 2016-04-01T18:20:00+0000

Does cipher name order in TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList ?

Mostly yes.

TLS does not determine who decides on the cipher. Typically, the server prefers client preferences. That is, the server will use the first client preference if it is available and enabled, or the second client preference if it is available and enabled, etc.

Most libraries allow the server to override behavior. For example, with the OpenSSL option, SSL_OP_CIPHER_SERVER_PREFERENCE . In this case, the server will correspond to the first preference of the server if the client declares it, the second version of the server if the client declares it, etc.

For the servers I manage, I set up a list of cipher suites and usually set SSL_OP_CIPHER_SERVER_PREFERENCE because many clients do not pay attention to details. They just throw soup from the cipher suites at ClientHello, hoping something sticks.

The order in which the server offers ciphers is important, but can I control this order?

Yes.

On the server, determine your order of the cipher suites, and then set them using SSL_CTX_set_cipher_list or SSL_set_cipher_list . By setting the list, you will be convinced that RC4-MD5 not used even for his first choice of client (assuming that you omit it). For maximum impact, also set the context parameter SSL_OP_CIPHER_SERVER_PREFERENCE .

Also see How to disable a specific cipher suite in openssl? The context is OpenSSL, but it should give you an idea of where to go in Delphi.

(Comments): Which is not clear to me from your answer: Does the CipherList property already mean an order? If I look at the Delphi / Indy base code, I see that it is just a wrapper for the external function SSL_CTX_set_cipher_list : function(_para1: PSSL_CTX; const str: PAnsiChar): TIdC_INT cdecl = nil; in IdSSLOpenSSLHeaders.pas SSL_CTX_set_cipher_list : function(_para1: PSSL_CTX; const str: PAnsiChar): TIdC_INT cdecl = nil; in IdSSLOpenSSLHeaders.pas

If I understand Delphi correctly, then I believe the answer is Yes, it is. But it probably uses either (1) the default OpenSSL list, or (2) the default Delphi list. Both of them are probably similar to "ALL:!EXP:!LOW" or similar. In any case, you will want to customize it to your taste.

If you are interested in what the list looks like when it is wired, use Wireshark to check ClientHello. It is easy to generate with s_client , and it shows you what the list of default OpenSSL cipher packages looks like:

 $ openssl s_client -connect www.ietf.org:443 -tls1 -servername www.ietf.org

And the corresponding Wireshark route with 55 standard encryption sets packed into it:

You can also improve the security situation and reduce the number of cipher suites with the -cipher and "HIGH:!aNULL:!MD5:!RC4" . The number of encrypted sets will be reduced to about 35.

  $ openssl s_client -connect www.ietf.org:443 -tls1 -servername www.ietf.org \ -cipher 'HIGH:!aNULL:!MD5:!RC4'

If you don't like TripleDES and Cameilla, you can reduce them to 20 cipher suites with:

 $ openssl s_client -connect www.ietf.org:443 -tls1 -servername www.ietf.org \ -cipher 'HIGH:!aNULL:!MD5:!RC4:!3DES:!CAMELLIA'

Now suppose that the client is configured only with RC4-MD5 , and the server is configured only with AES-GCM . Ie, there is no intersection of cipher suites between client and server. In this case, you will receive an error message in OpenSSL. The error will be 0x1408A0C1, "there are no common cipher suites." On the server, it will look something like this:

 140339533272744:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353

For clients and servers based on OpenSSL, you can define a list of default encryption packages with the line "DEFAULT". This is literally what it was called (check out the ciphers(1) man page ).

There are 103 of them, which include weak and wounded algorithms. In practice, you want to connect it to 16 or so cipher suites that you prefer to use (that is, your security position):

 $ openssl ciphers -v 'DEFAULT' | cut -f 1 -d " " | wc -l 103

and

 $ openssl ciphers -v 'DEFAULT' | cut -f 1 -d " " ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA SRP-AES-256-CBC-SHA DH-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DH-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DH-RSA-AES256-SHA256 DH-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DH-RSA-AES256-SHA DH-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA DH-RSA-CAMELLIA256-SHA DH-DSS-CAMELLIA256-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA PSK-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA SRP-AES-128-CBC-SHA DH-DSS-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 DH-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DH-RSA-AES128-SHA256 DH-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DH-RSA-AES128-SHA DH-DSS-AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DH-RSA-SEED-SHA DH-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA DH-RSA-CAMELLIA128-SHA DH-DSS-CAMELLIA128-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA SEED-SHA CAMELLIA128-SHA IDEA-CBC-SHA PSK-AES128-CBC-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 PSK-RC4-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA SRP-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DH-RSA-DES-CBC3-SHA DH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA PSK-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DH-RSA-DES-CBC-SHA DH-DSS-DES-CBC-SHA DES-CBC-SHA

dave_thompson_085 · Answer 2 · 2016-04-22T04:23:56+0000

Meta: not the answer to the question, but the answer to the comment. Really Understanding SSL / TLS is not programming, but a big question that might be “too broad” for SO. But some thoughts anyway:

the final guide to SSL / TLS as a standardized protocol, or essentially their family, is of course the RFCs that define them, plus, where applicable, the external standards referenced by those RFCs (e.g. FIPS 197 for AES, PKCS # 1 for RSA, SECG1 for ECC, etc.). Wikipedia has a good overview and (AFAICT) full list of links.
If you just want a general understanding of what the figures are and how they work (for example, RSA vs. DHE vs. ECDHE, and AES vs. TDES or HMAC vs. AEAD), Wikipedia is also good, as well as canonical Q & As on security.SE
The middle wave may be Ivan Ristic, the new book "Bulletproof" ; he is the guy behind the widely used and well-rated SSLLabs test, and the book is linked to this homepage . I did not read the real book, but a few years ago he showed and discussed on his blog some of the materials that were planned in the book, and I thought it looked great.

In addition, you do not directly implement the standard; you are using an implementation that is a version of OpenSSL, and in today's ecosystem of software OpenSSL may change . The first OpenSSL itself has several build options (aka compile-time). And I know Delphi only in general terms, and I don’t know if the version of OpenSSL that you identify is provided either for Delphi (or Indy?) Or "pulled" from the OS or elsewhere, and anyway, who it is built what options and, possibly, even modifications (patches). (For comparison, I usually use Linux based on RedHat and Debian, which support patches so that a package identified, for example, as "1.0.1e", usually differs from other versions, which are also indicated as "1.0", sometimes significantly. 1e '.)

Is cipher name order important in TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList?

More articles: