Cipher suite oddity
130 views
Skip to first unread message
Brian Candler
Jan 9, 2024, 5:10:14 PM1/9/24
to golang-nuts
Something just pointed out to me(*) that I don't understand:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is in tls.CipherSuites()
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is in tls.InsecureCipherSuites()
Why is the SHA256 variant considered "insecure", but the SHA (presumably SHA1) variant "secure"?
Are these actually different cipher suites but with confusingly similar names?
Brian Candler
Jan 10, 2024, 4:07:57 AM1/10/24
to golang-nuts
https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA/ (hex code 0xC0, 0x13)
// - Anything else comes before CBC_SHA256
//
// SHA-256 variants of the CBC ciphersuites don't implement any Lucky13
// countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and
https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/ (hex code 0xC0, 0x27)
describes both as "weak", and at first glance there are fewer issues with the SHA256 variant as the hash is fixed.
describes both as "weak", and at first glance there are fewer issues with the SHA256 variant as the hash is fixed.
But there's a comment in the (private) cipherSuitesPreferenceOrder in src/crypto/tls/cipher_suites.go:
//
// SHA-256 variants of the CBC ciphersuites don't implement any Lucky13
// countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and
(the first link is broken BTW). So I guess this could be why TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 didn't make the cut into "CipherSuites", whilst TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA did?
Reply all
Reply to author
Forward
0 new messages