SSL Ciphers and protocols

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

You can configure the permitted SSL/TLS protocols and ciphers using set::ssl::protocols, set::ssl::ciphers and set::ssl::options::ciphersuites. Or, if you want to override these global options, then you can use listen::ssl-options or link::ssl-options for listen- and link-specific configuration.

Default configuration

Below we describe the default configuration. If you want enhanced security (at the cost of client compatibility!) see #More secure setting.

Protocols

UnrealIRCd 4 never permits SSLv2 and SSLv3 connections. The default setting for set::ssl::protocols allows TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3 (when available).

Ciphers

The default setting for UnrealIRCd 4.2.2 and higher for set::ssl::ciphers is:

EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA

Specifically for TLSv1.3, since UnrealIRCd 4.0.19, there is a separate option called set::ssl::ciphersuites and the default is:

TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256

Curves

Starting with UnrealIRCd 4.0.18, the ECDH(E) curves are set via set::ssl::ecdh-curves to: X25519 (if available), secp521r1, secp384r1 and prime256v1.

Rationale

The default configuration is based on the Mozilla SSL Configuration Generator 'Intermediate' compatibility profile and two other major sources. The rationale behind this is as follows:

  • Maintain compatability with older clients out of the box (if you don't need this, then check out #More secure setting)
  • Prefer PFS
  • Prefer ChaCha20/Poly1305 over AES because it's resistant against timing attacks even in software implementations
  • Prefer AES256 over AES128
  • Prefer Authenticated encryption such as GCM over CBC due to the various CBC attacks in the past and likely in the future.
  • As for the curves, we prefer X25519 because it is a fast and securely chosen curve from Bernstein, then secp521r1 (least suspicious NIST curve), and finally secp384r1 and prime256v1.

This deviates from the Mozilla intermediate compatibility profile in some aspects:

  • The Mozilla intermediate profile prefers AES128 over AES256 for reasons of performance and because of unclear security benefits
  • The Mozilla intermediate profile also permits 3DES, we do not
  • Curves: we use stronger and less suspicious curves compared to the Mozilla profiles (which doesn't even set any curves in the intermediate profile and only NIST curves in Modern)

Result

With OpenSSL 1.1.0 this results in (output from cipherscan):

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
3     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
4     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
5     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
7     AES256-GCM-SHA384            TLSv1.2                None                None
8     AES128-GCM-SHA256            TLSv1.2                None                None
9     AES256-SHA256                TLSv1.2                None                None
10    AES128-SHA256                TLSv1.2                None                None
11    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
12    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None

NOTE: TLS 1.3 is also supported in UnrealIRCd. It is not listed in the above result simply because the cipherscan tool does not test for it at the moment[1].

As said, we need to provide compatibility out of the box so we still permit non-PFS ciphersuite selection, CBC mode and SHA1.

Over time the default ciphers, protocols and curves list in UnrealIRCd will be adjusted.

More secure setting

If you don't need compatibility with older clients/libraries then use a setting like this:

set {
    ssl {
        protocols "All,-TLSv1,-TLSv1.1"; /* allow only TLSv1.2 and up */
        ciphers "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256";
        /* no need to set a ciphersuite "xx"; for TLSv1.3, since it's already secure */
    };
};

Unfortunately this will prevent some (rather old) clients from connecting. Also, UnrealIRCd 3.2.x servers would be unable to link to this 4.x.

History

  • Prior to UnrealIRCd 4.0.7 if you did not have a cipher setting it was left up to your OS/Distro (and ultimately OpenSSL/LibreSSL build parameters) as to which algorithms were enabled. In practice this often meant ciphers such as RC4 and 3DES were enabled which is discouraged today.
  • In UnrealIRCd 4.0.14 the cipher list was updated to include TLSv1.3 ciphers. This means as soon as you upgrade your OpenSSL to a version which supports TLSv1.3, UnrealIRCd will be able to use it.
  • In UnrealIRCd 4.0.18 support was added of setting the ECDH(E) curves via the ecdh-curves option and a default was set. Previously this was left over to the SSL library with a fallback to P-256.
  • In UnrealIRCd 4.0.19 support for cipher setting for TLSv1.3 was changed to match OpenSSL specifics.
  • In UnrealIRCd 4.2.2 we reordered AES-128 and AES-256. In practice, most clients (by far) already negotiated either CHACHA20 or AES-256, but now in the remaining case (non-PFS) we prefer AES-256 as well.