[SERVER-34911] Restrict TLS ciphers supported by servers and clients Created: 08/May/18 Updated: 27/Oct/23 Resolved: 29/Jan/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Kenneth White |
| Resolution: | Gone away | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Participants: | |||||||||||||
| Description |
|
There are a wide variety of ciphers suites, defined across the TLS RFCs. These suites will specify the hashing algorithm and the asymmetric and symmetric cryptography used in the TLS conversation. Some suites provide useful properties, like Perfect Forward Secrecy. The server and shell should restrict themselves to using a limited set of suites which provide PFS, and use modern algorithms which are considered to have wide security margins. Below are a set of cipher suites which would be supported.
|
| Comments |
| Comment by Kenneth White [ 23/Jan/19 ] |
|
Thanks spencer.jackson. I'm fine with closing this for now. Independent of this ticket, I'll assign myself to put together a simple test suite and living doc to crosswalk server & drivers on the major supported platforms with modern PFS cipher suites (I know that RH/Cent 8 includes and Ubuntu 18LTS will backport TLS 1.3 natively, but it would be good to have a uniform central resource to point to). |
| Comment by Kenneth White [ 23/Jan/19 ] |
|
Just to confirm, do we believe that 4.2 server and current drivers running on major supported modern platforms like Windows Server 2016+, Windows 10, RedHat/Cent 7.4+, and OSX can be configured to support at least one of these suites? TLS_ECDHE_RSA_WITH_AES_128GCM_SHA256 If not, maybe we could create a simple crosstab of the major supported platforms vs cipher suites for the record and then revisit this post-4.2? |