Remove SHA1 cipher suite
988 views
Skip to first unread message
mate
May 20, 2022, 3:26:12 AM5/20/22
to Security-dev
Since Chromium removed the TLS1.0 and TLS1.1 protocols,the cipher suite which using HMAC-SHA1 is unnecessary,because TLS1.2 add the SHA2 to ths cipher suite
I suggest remove these cipher :
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
And add these cipher:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
Because some server such as Windows Server 2008 R2 and Windows Server 2012 although these server can enable TLS1.2 but they don't support GCM cipher suite with RSA certificate the best cipher suite these server can use with RSA certificate is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_GCM_SHA384
Although HAMC-SHA1 isn't broken but SHA1 is broken
I think take action before it destroyed is better
I suggest remove these cipher :
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
And add these cipher:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
Because some server such as Windows Server 2008 R2 and Windows Server 2012 although these server can enable TLS1.2 but they don't support GCM cipher suite with RSA certificate the best cipher suite these server can use with RSA certificate is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_GCM_SHA384
Although HAMC-SHA1 isn't broken but SHA1 is broken
I think take action before it destroyed is better
Rohit Bhatia
May 20, 2022, 8:33:43 PM5/20/22
to mate, David Benjamin, Security-dev
Hi
Thanks for reaching out. Adding David, who probably has a better understanding of the plan to deprecate these ciphers.
Thanks and Regards
Thanks for reaching out. Adding David, who probably has a better understanding of the plan to deprecate these ciphers.
Thanks and Regards
Rohit
--
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
David Benjamin
May 24, 2022, 6:19:18 PM5/24/22
to Rohit Bhatia, mate, Security-dev
Alas, it is not true that the cipher suites using HMAC-SHA-1 are unnecessary, as a small but still non-trivial portion of traffic still uses them. It would be good to get rid of them, but we're probably a ways off for now. (SHA-1 server signatures are also a higher priority use of our breakage budget for now.)
Regardless, HMAC-SHA-1 is not the problem with those ciphers. As you note, HMAC-SHA-1 is still fine. The real problem with those ciphers is actually CBC. All CBC mode ciphers suites in TLS are broken because they ordered encryption and MAC incorrectly, making them vulnerable to the Lucky 13 attack. There's no sense in adding the CBC + HMAC-SHA-2 cipher suites when they're vulnerable to the same problems. We would want to deprecate them later in favor of AES-GCM anyway. Between CBC per-record IV and the large MACs, they're also the highest bandwidth overhead ciphers in all of TLS.
David
Reply all
Reply to author
Forward
0 new messages