Disable GREASE cipher suite

[Horia Muntean]

Hi,

Is there any possibility to disable GREASE entry (https://www.chromestatus.com/feature/6475903378915328) from being presented in the client cipher suite ?

I did try the hint presented at https://www.wilderssecurity.com/threads/how-to-disable-chrome-browser-bundled-mitm-backdoor.413225/ - starting chrome with --cipher-suite-blacklist command line switch but it does not seem to have any effect.

Thanks

[Nick Harper]

No, there is no way to disable TLS GREASE in chromium.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/1a6ed92f-09a7-4c8c-af62-fa0c80e1ce48%40chromium.org.

[David Benjamin]

Note GREASE ciphers are not actual cipher suites, just reserved values we insert into the ClientHello. There are no corresponding ciphers registered in the TLS implementation at all. If the goal is to remove unnecessary ciphers for security purposes, there's no reason to bother here. Indeed, the point of GREASE is so we can safely add new, more secure, cipher suites without compatibility consequences. See the IETF draft for more details.

https://tools.ietf.org/html/draft-ietf-tls-grease-04

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CACdeXiLOHCYpBf%3DUNkWv%2BQSHF4w870V4bk42cVO2DXcY7Cnc%2BA%40mail.gmail.com.

[Horia Muntean]

Hi,

The purpose was to debug a broken TLS 1.3 handshake with a server that is not under our control i.e. trying to send Client Hello's without GREASE and see if it makes any difference.

The handshake completed fine with Firefox which does not use GREASE at the moment.

Chrome completed the handshake only when launched with  '--ssl-version-max=tls1.2' (even if GREASE was present in Client Hello but without TLS 1.3 cipher suites).

First I thought the server has a problem but it turned out the culprit was our Fortigate SSL inspection because after suspending it the Chrome's TLS 1.3 handshake completed.

Thank you all for your time.

On Wednesday, January 15, 2020 at 10:27:05 PM UTC+2, David Benjamin wrote:

Note GREASE ciphers are not actual cipher suites, just reserved values we insert into the ClientHello. There are no corresponding ciphers registered in the TLS implementation at all. If the goal is to remove unnecessary ciphers for security purposes, there's no reason to bother here. Indeed, the point of GREASE is so we can safely add new, more secure, cipher suites without compatibility consequences. See the IETF draft for more details.

https://tools.ietf.org/html/draft-ietf-tls-grease-04

On Wed, Jan 15, 2020 at 2:39 PM Nick Harper <nha...@chromium.org> wrote:

No, there is no way to disable TLS GREASE in chromium.

On Wed, Jan 15, 2020 at 11:35 AM Horia Muntean <horia....@gmail.com> wrote:

Hi,

Is there any possibility to disable GREASE entry (https://www.chromestatus.com/feature/6475903378915328) from being presented in the client cipher suite ?

I did try the hint presented at https://www.wilderssecurity.com/threads/how-to-disable-chrome-browser-bundled-mitm-backdoor.413225/ - starting chrome with --cipher-suite-blacklist command line switch but it does not seem to have any effect.

Thanks

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromi...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/1a6ed92f-09a7-4c8c-af62-fa0c80e1ce48%40chromium.org.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromi...@chromium.org.