Add option to configure TLS cipher suites

[coderanger]

The default Go cipher configs are a bit wonky, it would be nice to be able to put in a cipher string in the config to override it. I know bupkiss about Go's TLS listener API, but a quick look over of the docs made this seem non-trivial.

[jefferai]

Any chance you can define "wonky"?

[coderanger]

Ciphersuite order is chosen so that ... RC4 comes before AES (because of the Lucky13 attack).

Granted I can't really blame them, CBC vs. RC4 is likely choosing which finger you would like blown off. Would rather just disable both, and maybe 3DES while I'm at it because 😿 downgrade attacks are sadmaking.

[coderanger]

For reference https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L78-L94 is Go's default cipher ordering I think.

[jefferai]

Note that you can easily disable this on the client side as well.

[coderanger]

"easily" would depend on what TLS client library you were using, and from a compliance PoV it is nice to just knock out everything related to MitM downgrades at once (like you can already do with TLS versions).

[jefferai]

I think Go's defaults are pretty sane here, and they update them with each release based on current thinking in the security community. But I'm happy to look at a PR if one pops up...shouldn't be too bad, since Go has constants that map to the uint16 values. It would just need to basically have a string array and logic to do the mapping.

[coderanger]

Was this closed for an actual reason?

[vishalnayak]

@coderanger

Some of the Vault issues were closed by mistake from a syncing software. We apologize for the confusion caused. We have reopened the issues that were closed and are investigating the problem that caused this. Again, we are very sorry for the inconvenience.

[rhuddleston]

+1

I just got this from a pen tester:

Sweet32: Birthday attacks on 64-bit block ciphers

https://sweet32.info/
https://www.openssl.org/blog/blog/2016/08/24/sweet32/

nmap --script +ssl-enum-ciphers -p 8200 node1.dev.xxx.corp

PORT STATE SERVICE
8200/tcp open trivnet1
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C

So at the least we need to disable these ciphers:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

[jefferai]

@rhuddleston if you're willing to do the work it'll get done much faster than leaving it to us :-) if so let me know and we can figure out the design. Shouldn't be too bad.

[roman-vynar]

@jefferai I have added PR on this if you have a chance to take a look.

[jefferai]

Closed via #2293