OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • TLS Ciphers - RSA vs ECDSA
« previous next »
  • Print
Pages: [1]

Author Topic: TLS Ciphers - RSA vs ECDSA  (Read 2253 times)

roundtree

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
TLS Ciphers - RSA vs ECDSA
« on: May 30, 2018, 09:30:50 pm »
I have noted some unusual behavior with the TLS ciphers available in 18.1.8.  I enabled several "secure" ciphers and, naturally, locked myself out temporarily (always have backups!).  After restoring the last good config, I decided to probe a bit further to see what was actually reciprocated in the TLS handshake and was quite surprised.  Specifically, I hoped to lockdown the ciphers for remote administration to only ECDHE_ECDSA using GCM, but apparently those ciphers aren't actually working.  I ran some tests using SSLyze and these are the results that concerned me.

Code: [Select]
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-384 bits  256 bits
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-384 bits  128 bits
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384           TLS / Alert: handshake failure
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256           TLS / Alert: handshake failure
I switched to LibreSSL with no difference in the handshake results, so I don't think the library is at fault (but obviously I'm not certain).  Perhaps it's a known bug, but I couldn't find anything here in the forums or elsewhere.  And I'm sure there may be other ciphers that should work, but I didn't try.  I can post my full handshake results if anyone's interested.

I don't expect that this issue rates very highly on anyone's list given the other issues noted, but I thought it was worth posting here in case someone is looking in the future for why they were locked out after tightening their ciphers.  In particular, it appears that the best option available with modern browsers is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13957
  • Karma: 1210
    • View Profile
Re: TLS Ciphers - RSA vs ECDSA
« Reply #1 on: May 31, 2018, 11:21:00 am »
I could be wrong, but don't these ciphers require AESNI on both sides (server and client)?


Cheers,
Franco
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: TLS Ciphers - RSA vs ECDSA
« Reply #2 on: May 31, 2018, 12:10:13 pm »
AESNI is a hardware implementation in x86 and amd64 CPUs. It has nothing to do with TLS except that it can accelerate it and it may protect against timing attacks. GCM can be done in software as well (it is a counter mode with integrated authentication).
Logged

schnipp

  • Sr. Member
  • ****
  • Posts: 314
  • Karma: 16
    • View Profile
Re: TLS Ciphers - RSA vs ECDSA
« Reply #3 on: May 31, 2018, 07:24:23 pm »
It's not a bug. The last two cipher suites uses ECDSA for endpoint authentication. So you need an appropriate ECDSA certificate on your server.
Logged
OPNsense 23.1.3-amd64
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • TLS Ciphers - RSA vs ECDSA
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2