Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2983

webserver: remove TLS ciphers with RSA-based key exchange

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.11.0
    • Fix Version/s: None
    • Component/s: master, security, tserver
    • Labels:
      None

      Description

      Since squeasel now supports ECDH-based algorithms since d6a6b54b1, it's safe to remove ciphers with key exchange based on RSA for Kudu embedded webserver on every supported platform but CentOS6 (there we use openssl-el6-workaround defining OPENSSL_NO_ECDH).

      That's to follow best practices of using only forward secrecy-enabled ciphers. Let's use at least intermediate compatibility cipher list (needs to be accommodated for CentOS7 since polynomial algos usually are not available on OpenSSL package on that platform).

      Also, that's to avoid security scan tools like Qualys SSL Server Test from SSL Labs issuing warnings about critical vulnerabilities such as RobotAttack. See this introduction article for more context on replacing RSA with ECC for TLS key exchange.

      The issue to remove ciphers with RSA-based key exchange for Kudu RPC is tracked separately since it requires changing type of IPKI private key as well.

      This is the list of ciphers to use on CentOS7 and newer for Kudu webserver:

      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              aserbin Alexey Serbin
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: