OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: roundtree on May 30, 2018, 09:30:50 pm

Title: TLS Ciphers - RSA vs ECDSA
Post by: roundtree on May 30, 2018, 09:30:50 pm
I have noted some unusual behavior with the TLS ciphers available in 18.1.8.  I enabled several "secure" ciphers and, naturally, locked myself out temporarily (always have backups!).  After restoring the last good config, I decided to probe a bit further to see what was actually reciprocated in the TLS handshake and was quite surprised.  Specifically, I hoped to lockdown the ciphers for remote administration to only ECDHE_ECDSA using GCM, but apparently those ciphers aren't actually working.  I ran some tests using SSLyze (https://github.com/nabla-c0d3/sslyze) and these are the results that concerned me.

Code: [Select]
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-384 bits  256 bits
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-384 bits  128 bits
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384           TLS / Alert: handshake failure
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256           TLS / Alert: handshake failure

I switched to LibreSSL with no difference in the handshake results, so I don't think the library is at fault (but obviously I'm not certain).  Perhaps it's a known bug, but I couldn't find anything here in the forums or elsewhere.  And I'm sure there may be other ciphers that should work, but I didn't try.  I can post my full handshake results if anyone's interested.

I don't expect that this issue rates very highly on anyone's list given the other issues noted, but I thought it was worth posting here in case someone is looking in the future for why they were locked out after tightening their ciphers.  In particular, it appears that the best option available with modern browsers is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Title: Re: TLS Ciphers - RSA vs ECDSA
Post by: franco on May 31, 2018, 11:21:00 am
I could be wrong, but don't these ciphers require AESNI on both sides (server and client)?

Title: Re: TLS Ciphers - RSA vs ECDSA
Post by: fabian on May 31, 2018, 12:10:13 pm
AESNI is a hardware implementation in x86 and amd64 CPUs. It has nothing to do with TLS except that it can accelerate it and it may protect against timing attacks. GCM can be done in software as well (it is a counter mode with integrated authentication).
Title: Re: TLS Ciphers - RSA vs ECDSA
Post by: schnipp on May 31, 2018, 07:24:23 pm
It's not a bug. The last two cipher suites uses ECDSA for endpoint authentication. So you need an appropriate ECDSA certificate on your server.