Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: crypto/tls: support for openssl ciphers symbols, keywords in tls config #60878

Open
vkosuri opened this issue Jun 20, 2023 · 5 comments
Open

proposal: crypto/tls: support for openssl ciphers symbols, keywords in tls config #60878

vkosuri opened this issue Jun 20, 2023 · 5 comments
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone
Proposal

Comments

@vkosuri
Copy link

vkosuri commented Jun 20, 2023
edited

Currently openssl ciphers https://www.openssl.org/docs/man1.1.1/man1/ciphers.html does support all keyword based such as DEFAULT, ALL, NULL and symbols '+' and '-' to get

Currently the API returns only https://pkg.go.dev/crypto/tls#CipherSuiteName CipherSuites returns string based on input constants https://pkg.go.dev/crypto/tls#pkg-constants instead if we have support for all Keywords and symbols accept strings and reruns array of strings.

This how openssl return the cipher suites based on keywords

❯ openssl ciphers RSA
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:AES256-SHA256:CAMELLIA256-SHA256:AES128-SHA256:CAMELLIA128-SHA256:NULL-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-SHA:CAMELLIA128-SHA:NULL-SHA:NULL-MD5

# all default suites
❯ openssl ciphers DEFAULT
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

# openssl returns on NULL cipher suites
❯ openssl ciphers NULL
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-NULL-SHA:ECDHE-RSA-NULL-SHA:AECDH-NULL-SHA:NULL-SHA256:ECDHE-PSK-NULL-SHA384:ECDHE-PSK-NULL-SHA256:ECDHE-PSK-NULL-SHA:RSA-PSK-NULL-SHA384:RSA-PSK-NULL-SHA256:DHE-PSK-NULL-SHA384:DHE-PSK-NULL-SHA256:RSA-PSK-NULL-SHA:DHE-PSK-NULL-SHA:NULL-SHA:NULL-MD5:PSK-NULL-SHA384:PSK-NULL-SHA256:PSK-NULL-SHA
@gopherbot gopherbot added this to the Proposal milestone Jun 20, 2023
@vkosuri vkosuri changed the title proposal: affected/package: support for openssl ciphers symbols, keywords proposal: crypto/tls: support for openssl ciphers symbols, keywords Jun 20, 2023
@vkosuri
Copy link
Author

vkosuri commented Jun 20, 2023
edited

I have placed an example here as well, It's breaking change, Instead breaking one adding new property something like CipherSuiteString will improve.

// For example I don't write entire list supported ciphers into config rather I just use keywords and symbol to produce entire list, For example I took this example form

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
        w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
        w.Write([]byte("This is an example server.\n"))
    })
    cfg := &tls.Config{
        MinVersion:               tls.VersionTLS12,
        CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
        PreferServerCipherSuites: true,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
            tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
        },
    }
    srv := &http.Server{
        Addr:         ":443",
        Handler:      mux,
        TLSConfig:    cfg,
        TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
    }
    log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key"))
}

// and just rewritten list this

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
        w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
        w.Write([]byte("This is an example server.\n"))
    })
    cfg := &tls.Config{
        MinVersion:               tls.VersionTLS12,
        CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
        PreferServerCipherSuites: true,
        CipherSuiteString: []string{
            'RSA+ECHDE'
        },
    }
    srv := &http.Server{
        Addr:         ":443",
        Handler:      mux,
        TLSConfig:    cfg,
        TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
    }
    log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key"))
}

@vkosuri vkosuri changed the title proposal: crypto/tls: support for openssl ciphers symbols, keywords proposal: crypto/tls: support for openssl ciphers symbols, keywords in tls config Jun 20, 2023
@seankhliao seankhliao added the Proposal-Crypto Proposal related to crypto packages or other security issues label Jun 20, 2023
@ianlancetaylor
Copy link
Contributor

CC @golang/security

@FiloSottile
Copy link
Contributor

OpenSSL supports so many cipher suites it needs a little grammar to handle them. We don't. We also don't let the application change TLS 1.3 cipher suites, and I don't expect we'll ever add new TLS 1.2 cipher suites, so it's not even a matter of supporting future suites. Finally, we select the order automatically and don't support completely broken ones, so there is little harm in enabling too many. I don't think this is a good fit for Go.

@vkosuri
Copy link
Author

vkosuri commented Jun 21, 2023

I see this issue about the ordering #45430. I don't understand the complexity behind and fit for GO?

I have seen lot of load balancers and security orgs are still supporting flexibility for example

IMHO and Finally the source raw shouldn't limited particular things, then end user will select what (s)he need. It doesn't mean the end user don't know anything about security.

@vkosuri
Copy link
Author

vkosuri commented Jun 22, 2023

My overall point here, the flexibility the other libs are providing, I through it's good to have in GO as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
Proposals
Status: Incoming
Milestone
Proposal
Development

No branches or pull requests
5 participants
@FiloSottile @ianlancetaylor @gopherbot @seankhliao @vkosuri