Review stats and current recommendations to see if TLS settings should be updated.
Possible changes:
Drop TLS < 1.2
Drop non-FS ciphers
Lily
on
a few things to consider:
TLS 1.0 and 1.1 are likely to be deprecated by RFC soon (https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/), and are already disallowed for PCI-DSS. default protocol should probably be "tlsv1_2+"
TLS session tickets should probably be disabled unless prosody implements ticket key rotation: https://blog.compass-security.com/2017/06/about-tls-perfect-forward-secrecy-and-session-resumption/
TLS 1.3 forbids renegotiation for security reasons, so it's a good idea to disable it as well.
for ECDH curves, safe curves (X25519 and X448) should be enabled and preferred over NIST curves for security. ~256-bit curves should be preferred over larger sizes for performance. this results in the list "X25519:X448:P-256:P-384:P-521". it might also be worth considering to drop P-521, since web browsers already dropped it a long time ago and vulnerabilities in less-used code are less likely to be found.
for cipher suites:
* RSA key exchange doesn't provide forward secrecy and shouldn't be used.
* DH key exchange shouldn't be used unless a reasonable (~2048-bit) minimum modulus size is enforced.
* AEAD cipher suites should be strongly preferred over CBC suites.
* ECDSA should be preferred over RSA for performance.
* 3DES should not be used because of Sweet32.
* AES should be preferred over ChaCha20 unless the client prefers ChaCha20 for performance (AES is faster on most devices where hardware AES support is available, but ChaCha20 is faster if the client doesn't have hardware AES).
* it might also be a good idea to check if the server has hardware AES support and prefer ChaCha20 over AES if it doesn't.
* AES-128 should be preferred over AES-256 for performance.
* servers should enforce their own preference order because many clients have bad ordering of cipher suites (things like preferring AES-256 CBC over AES-128 GCM).
this results in the following settings:
* ciphers = "ECDHE+AESGCM:ECDHE+AES+SHA:+AES256:ECDHE+CHACHA20:+aRSA:+SHA";
* ciphersuites = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
* prioritize_chacha = true;
* cipher_server_preference = true;
Review stats and current recommendations to see if TLS settings should be updated. Possible changes: Drop TLS < 1.2 Drop non-FS ciphers
a few things to consider: TLS 1.0 and 1.1 are likely to be deprecated by RFC soon (https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/), and are already disallowed for PCI-DSS. default protocol should probably be "tlsv1_2+" TLS session tickets should probably be disabled unless prosody implements ticket key rotation: https://blog.compass-security.com/2017/06/about-tls-perfect-forward-secrecy-and-session-resumption/ TLS 1.3 forbids renegotiation for security reasons, so it's a good idea to disable it as well. for ECDH curves, safe curves (X25519 and X448) should be enabled and preferred over NIST curves for security. ~256-bit curves should be preferred over larger sizes for performance. this results in the list "X25519:X448:P-256:P-384:P-521". it might also be worth considering to drop P-521, since web browsers already dropped it a long time ago and vulnerabilities in less-used code are less likely to be found. for cipher suites: * RSA key exchange doesn't provide forward secrecy and shouldn't be used. * DH key exchange shouldn't be used unless a reasonable (~2048-bit) minimum modulus size is enforced. * AEAD cipher suites should be strongly preferred over CBC suites. * ECDSA should be preferred over RSA for performance. * 3DES should not be used because of Sweet32. * AES should be preferred over ChaCha20 unless the client prefers ChaCha20 for performance (AES is faster on most devices where hardware AES support is available, but ChaCha20 is faster if the client doesn't have hardware AES). * it might also be a good idea to check if the server has hardware AES support and prefer ChaCha20 over AES if it doesn't. * AES-128 should be preferred over AES-256 for performance. * servers should enforce their own preference order because many clients have bad ordering of cipher suites (things like preferring AES-256 CBC over AES-128 GCM). this results in the following settings: * ciphers = "ECDHE+AESGCM:ECDHE+AES+SHA:+AES256:ECDHE+CHACHA20:+aRSA:+SHA"; * ciphersuites = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"; * prioritize_chacha = true; * cipher_server_preference = true;
Discussed. We'll be dropping in https://wiki.mozilla.org/Security/Server_Side_TLS with a setting for which compatibility level to use.
Changeshttps://hg.prosody.im/trunk/rev/dfb29b5b0a57 https://hg.prosody.im/trunk/rev/9c794d5f6f8d https://hg.prosody.im/trunk/rev/9591b838e3b0 https://hg.prosody.im/trunk/rev/b344edad61d3
Changes