Are there any ways to restrict cipher suites in DTLS handshake?
446 views
Skip to first unread message
Konstantin Lopatkin
May 24, 2018, 3:29:47 AM5/24/18
to discuss-webrtc
Hello,
We are developing webrtc based application which is very demanding to the security.
When one of the application tries to initiate a call, DTLSv1.2
Client Hello is sent with the following cipher suites:
Cipher
Suites (12 suites):
Cipher Suite:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher
Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher
Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite:
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
We would like to restrict 3DES, TLS_RSA and SHA1 suites if possible.
Are there any APIs allowing to do so?
Thanks!
Harald Alvestrand
May 24, 2018, 3:44:20 AM5/24/18
to WebRTC-discuss
No, there aren't.
Do you mean that you'd like 3DES, TLS_RSA and SHA1 to be removed from the cipher suite set?
--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/64dc96b3-48b1-4a76-bcf4-b424985fa625%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Konstantin Lopatkin
May 24, 2018, 10:56:20 AM5/24/18
to discuss-webrtc
Yes, that's what I mean.
Thanks for quick reply.
четверг, 24 мая 2018 г., 10:44:20 UTC+3 пользователь Harald Alvestrand написал:
четверг, 24 мая 2018 г., 10:44:20 UTC+3 пользователь Harald Alvestrand написал:
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
Lennart Grahl
May 24, 2018, 7:29:47 PM5/24/18
to discuss-webrtc
A note: The spec (I would have to look up which one of the IETF drafts :) ) only requires ECDHE-ECDSA-AES128-SHA and recommends ECDHE-ECDSA-AES128-GCM-SHA256.
Since you're concerned about SHA1: I'm not an expert in DTLS-SRTP but be aware that there is also the SRTP Protection Profile which in many cases will also offer to use SHA1.
Philipp Hancke
May 25, 2018, 4:01:35 PM5/25/18
to WebRTC-discuss
as long as the other side supports something stronger than TLS_RSA those cipher suites will not be used.
Given that Firefox has been enforcing cipher suites with perfect forward secrecy since 2015 it is somewhat silly for Chrome to keep on supporting those cipher suites you want to remove so I filed https://bugs.chromium.org/p/chromium/issues/detail?id=845506 recently. Star that bug to keep updated on progress.
You can also use the getStats API to discover the cipher suite that ends up being used.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/bb51c134-a268-41eb-bac9-17b4b6d67446%40googlegroups.com.
Uttam Kadam
May 25, 2018, 4:08:25 PM5/25/18
to discuss...@googlegroups.com
Hi All
Is there any provider who can provide the stable platform ( which support all the latest platform on a different browser, including Android and iOS ) .
Regards,Is there any provider who can provide the stable platform ( which support all the latest platform on a different browser, including Android and iOS ) .
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/CADxkKi%2Bnr1xyrcWRwVJCnv%3DHLnX9kH7S%2BysSQULjvEFjyo6Jyw%40mail.gmail.com.
--
Uttam Kadam
Technical Architect
Boston Byte LLC
Contact : +91 9096231989
Mail : uttam...@bostonbyte.com
Website : www.bostonbyte.com
Technical Architect
Boston Byte LLC
Contact : +91 9096231989
Mail : uttam...@bostonbyte.com
Website : www.bostonbyte.com
Blogs : http://bostonbyte.blogspot.com/
Konstantin Lopatkin
May 28, 2018, 3:45:02 AM5/28/18
to discuss-webrtc
Are there any references about 3DES and TLS_RCA in the spec?
пятница, 25 мая 2018 г., 2:29:47 UTC+3 пользователь Lennart Grahl написал:
пятница, 25 мая 2018 г., 2:29:47 UTC+3 пользователь Lennart Grahl написал:
Harald Alvestrand
May 28, 2018, 4:40:20 AM5/28/18
to WebRTC-discuss
No - they came "for free" when we referenced the default SSL APIs in Chrome.
--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/9d9ab5c2-fb62-4bc9-8e0d-897a47fd7036%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages