New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: Disable DES ciphers in TLS 1.1+ #21144
Comments
cc @agl |
Are you suggesting that setting the MinVersion should also change the default cipher suites? Or that servers should never negotiate 3DES with a client that offers TLS >= 1.1 despite the cipher suite config? Both of these seem rather surprising cross-behaviours. As you note, if you wish to disable cipher suites you are able to. Also, keep in mind that disabling 3DES does not improve the first-order security of the system—it just breaks clients that cannot do better. That might lead to helpful second-order effects (e.g. they update their clients), but the benefit is indirect. I would prefer to disable 3DES by default. That's simple and clear. However, 3DES is what IE on Windows XP is clinging onto and I suspect there is a constituency of Go users who care about that. At some point the balance will shift and they'll have to explicitly enable 3DES rather than the other set explicitly disabling it. I don't know whether 1.10 is the point where that happens. |
The Mozilla wiki has a good list of CipherSuites and compatibility with various browsers. |
Yes, that's my suggestion. RFC 5246 says "Removed IDEA and DES cipher suites. They are now deprecated and will be documented in a separate document." This language suggests that these ciphers should not be used when negotiating TLS 1.2 (or is that only referring to single DES?) If there's no precedent for this sort of "cross-behavior", though, I can see why you might be reluctant to introduce it.
So in that case should the report from Nessus that this configuration is vulnerable to Sweet32 be regarded as a false positive? What I'm really looking for is an answer to "i'm willing to abandon browsers older than X; what is the most secure way to configure my TLS server?". I was hoping that setting MinVersion to 1.2 would be a reasonable proxy for this, but maybe that's not the right way to look at it. Maybe there should be a package (probably outside the standard library so it can update on its own schedule) containing factory functions that construct tls.Configs from higher-level parameters (like Python's |
It means single-DES. 3DES is still described in that RFC. There's no standards-based prohibition with using 3DES with TLS 1.2.
It's technically true, but the implications are perhaps non-obvious. It's not the case that the whole user population is vulnerable because 3DES is enabled. Rather, users who otherwise couldn't connect can do so, but only with 3DES, and that means that they'll be subject to birthday-bound limitations inherent with any 64-bit cipher.
As linked above, there are several resources that have opinions on how you should configure TLS servers. But the But you can certainly create a package that returns |
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version
)?go version go1.8.3 linux/amd64
What operating system and processor architecture are you using (
go env
)?What did you do?
tls.Config.MinVersion
set to 1.2:What did you expect to see?
Only secure cipher suites should be enabled by default.
What did you see instead?
Two DES-based cipher suites are enabled by default. This is flagged as vulnerable to the Sweet32 attack. According to cloudflare's docs on the subject, there is no legitimate need for DES ciphers in TLS 1.2 (or 1.1), so disabling these suites in TLS 1.1+ should be a straightforward win for security. Or, if there are other reasons that this is not a concern in Go's implementation, this should be documented to put our users' minds at ease.
We can use the
tls.Config.CipherSuites
option to disable the DES-based ciphers ourselves, but we'd prefer to delegate the knowledge of which ciphers are safe to the Go crypto team.This is a subset of #13385, because the DES ciphers also use CBC.
The text was updated successfully, but these errors were encountered: