TLS Ciphers and protocols

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

You can configure the permitted SSL/TLS protocols and ciphers using set::tls::protocols, set::tls::ciphers and set::tls::options::ciphersuites. Or, if you want to override these global options, then you can use listen::tls-options or link::tls-options for listen- and link-specific configuration.

Default configuration[edit]

Below we describe the default configuration. If you want enhanced security (at the cost of client compatibility!) see #More secure setting.

Protocols[edit]

The default setting for set::tls::protocols allows TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3 (when available). UnrealIRCd never permit SSLv2 and SSLv3 connections (and it is not possible to allow these).

Ciphers[edit]

The default setting for set::tls::ciphers is:

EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA

And for TLSv1.3, the default set::tls::ciphersuites is:

TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256

Curves[edit]

The ECDH(E) curves are set via set::tls::ecdh-curves, by default it uses: X25519 (if available), secp521r1, secp384r1 and prime256v1.

Rationale[edit]

The default configuration is based on the Mozilla SSL Configuration Generator 'Intermediate' compatibility profile and two other major sources. The rationale behind this is as follows:

  • Maintain compatability with older clients out of the box (if you don't need this, then check out #More secure setting)
  • Prefer PFS
  • Prefer ChaCha20/Poly1305 over AES because it's resistant against timing attacks even in software implementations
  • Prefer AES256 over AES128
  • Prefer Authenticated encryption such as GCM over CBC due to the various CBC attacks in the past and likely in the future.
  • As for the curves, we prefer X25519 because it is a fast and securely chosen curve from Bernstein, then secp521r1 (least suspicious NIST curve), and finally secp384r1 and prime256v1.

This deviates from the Mozilla intermediate compatibility profile in some aspects:

  • The Mozilla intermediate profile prefers AES128 over AES256 for reasons of performance and because of unclear security benefits
  • The Mozilla intermediate profile also permits 3DES, we do not
  • Curves: we use stronger and less suspicious curves compared to the Mozilla profiles (which doesn't even set any curves in the intermediate profile and only NIST curves in Modern)

Result[edit]

With OpenSSL 1.1.0 this results in (output from cipherscan):

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
3     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
4     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
5     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
7     AES256-GCM-SHA384            TLSv1.2                None                None
8     AES128-GCM-SHA256            TLSv1.2                None                None
9     AES256-SHA256                TLSv1.2                None                None
10    AES128-SHA256                TLSv1.2                None                None
11    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
12    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None

NOTE: TLS 1.3 is also supported in UnrealIRCd. It is not listed in the above result simply because the cipherscan tool does not test for it at the moment[1].

As said, we need to provide compatibility out of the box so we still permit non-PFS ciphersuite selection, CBC mode and SHA1.

Over time the default ciphers, protocols and curves list in UnrealIRCd will be adjusted.

More secure setting[edit]

If you don't need compatibility with older clients/libraries then use a setting like this:

set {
    tls {
        protocols "All,-TLSv1,-TLSv1.1"; /* allow only TLSv1.2 and up */
        ciphers "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256";
        /* no need to set a ciphersuite "xx"; for TLSv1.3, since it's already secure */
    };
};

Unfortunately this will prevent some (rather old) clients from connecting. Also, UnrealIRCd 3.2.x servers would be unable to link to this 4.x.

History[edit]

See also: Moving users to TLS

  • Prior to UnrealIRCd 4.0.7 if you did not have a cipher setting it was left up to your OS/Distro (and ultimately OpenSSL/LibreSSL build parameters) as to which algorithms were enabled. In practice this often meant ciphers such as RC4 and 3DES were enabled which is discouraged today.
  • In UnrealIRCd 4.0.14 the cipher list was updated to include TLSv1.3 ciphers. This means as soon as you upgrade your OpenSSL to a version which supports TLSv1.3, UnrealIRCd will be able to use it.
  • In UnrealIRCd 4.0.18 support was added of setting the ECDH(E) curves via the ecdh-curves option and a default was set. Previously this was left over to the SSL library with a fallback to P-256.
  • In UnrealIRCd 4.0.19 support for cipher setting for TLSv1.3 was changed to match OpenSSL specifics.
  • In UnrealIRCd 4.2.2 we reordered AES-128 and AES-256. In practice, most clients (by far) already negotiated either CHACHA20 or AES-256, but now in the remaining case (non-PFS) we prefer AES-256 as well.
  • In UnrealIRCd 5.0.0 there were no changes but we did change the default generated certificate from RSA-4096 to secp384r1