Project

General

Profile

Actions

Feature #9896

closed

Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx

Added by Viktor Gurov almost 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
11/14/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

as part of NGE

https://tools.ietf.org/html/rfc7905

test result (nmap):

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

https://github.com/pfsense/pfsense/pull/4112

Actions #1

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Pull Request Review
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

Actually this appears to be unnecessary. It's already enabled by default for TLS 1.3, but that scanner (nmap ssl-enum-ciphers) does not yet support TLS 1.3

Try with testssl.sh

 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher order
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384
               ECDHE-RSA-AES256-SHA DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA 
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 

The PR could still add it for TLS 1.2, but I am not sure it's worth adding at this stage since TLS 1.3 should be used.

Actions #2

Updated by Viktor Gurov almost 5 years ago

Jim Pingle wrote:

Actually this appears to be unnecessary. It's already enabled by default for TLS 1.3, but that scanner (nmap ssl-enum-ciphers) does not yet support TLS 1.3

I know it, and did the test with sslyze also
This PR is to support full-range of NGE algorithms in TLSv1.2

Actions #3

Updated by Jim Pingle almost 5 years ago

  • Subject changed from add poly1305-chacha20 to the nginx cipher list of WebGUI to Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
Actions #4

Updated by Renato Botelho almost 5 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100

PR has been merged. Thanks

Actions #5

Updated by Viktor Gurov almost 5 years ago

Renato Botelho wrote:

PR has been merged. Thanks

Tested on pfSense 2.5.0.a.20191126.1832

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http nginx
|_http-server-header: nginx
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Resolved

Actions #6

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF