Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2983

webserver: remove TLS ciphers with RSA-based key exchange

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.11.0
    • None
    • master, security, tserver
    • None

    Description

      Since squeasel now supports ECDH-based algorithms since d6a6b54b1, it's safe to remove ciphers with key exchange based on RSA for Kudu embedded webserver on every supported platform but CentOS6 (there we use openssl-el6-workaround defining OPENSSL_NO_ECDH).

      That's to follow best practices of using only forward secrecy-enabled ciphers. Let's use at least intermediate compatibility cipher list (needs to be accommodated for CentOS7 since polynomial algos usually are not available on OpenSSL package on that platform).

      Also, that's to avoid security scan tools like Qualys SSL Server Test from SSL Labs issuing warnings about critical vulnerabilities such as RobotAttack. See this introduction article for more context on replacing RSA with ECC for TLS key exchange.

      The issue to remove ciphers with RSA-based key exchange for Kudu RPC is tracked separately since it requires changing type of IPKI private key as well.

      This is the list of ciphers to use on CentOS7 and newer for Kudu webserver:

      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            aserbin Alexey Serbin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: