Re: SSL: better default ciphersuite

On Thu, Dec 12, 2013 at 09:18:03PM -0500, Peter Eisentraut wrote:
> On Thu, 2013-12-12 at 12:30 +0200, Marko Kreen wrote:
> > First, if there is explicit wish to keep RC4/SEED in play, I'm fine
> > with "HIGH:MEDIUM:!aNULL" as new default. Clarity-wise, it's still
> > much better than current value. And this value will result *exactly*
> > same list in same order as current value.
>
> If we have to make a change, I'd go for that, but I'm not convinced that
> this is necessarily clearer.

Yeah, the clarity argument is getting thinner...

And my latest patch was for HIGH:MEDIUM:+3DES:!aNULL.

I still think it's better to have positive statements there -
"gimme this and that" - instad badly-named 'DEFAULT' and then
lot's of negatives applied to it. But it's not that straightforward
anymore - the "+3DES" breaks the "leave everything to OpenSSL" angle.

But we do need to change default suite list to have one that works
well with prefer-server-ciphers option, which means it should contain
at least the +3DES workaround. Client that don't want AES256 are
reasonable as AES256 does not have any practical advantages over AES128.

I don't think just reverting the default is good idea - we should then
add documentation to option that "if you flip this, add such fixes
to cipher list". Which seems silly.

And not documenting anything and just leaving matters to admins
seems bad idea too - they are not in better position to do such
research than we are now.

So I think we can pick good default, now, and everybody will benefit.

For fun, how to go overboard on the issue - Mozilla recommendations
for TLS setup on their infrastructure:

https://wiki.mozilla.org/Security/Server_Side_TLS

It also discusses various issues with TLS, so it's good read.

--
marko