[Cryptography] TLS anon-(EC)DH
Viktor Dukhovni
cryptography at dukhovni.org
Tue Jan 14 11:10:15 EST 2014
On Tue, Jan 14, 2014 at 09:21:55AM +0000, Stephen Farrell wrote:
> TLS has always included anon-dh ciphersuites, going back to 1996
> at least. [1] It could be interesting to think about why fewer
> protocols wanted to use that, and why its not been implemented
> and deployed widely, but its in the protocol and always has been.
Postfix uses anonymous cipher-suites by default when opportunstic
TLS is enabled, though in practice one still needs a self-signed
certificate as not all other client MTAs enable ADH/AECDH (even
though they generally make no use of the certificate they insisted on).
One annoyance is that there are no updated anonymous AECDH
cipher-suites with TLS 1.2. If one wants SHA2 or AEAD one needs
to use ADH rather than AECDH, but with no means to negotiate prime
sizes, and performance disadvantages relative to AECDH at reasonable
strengths, ADH is sub-optimal.
$ openssl ciphers -v aNULL+kEECDH
AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1
AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1
$ openssl ciphers -v aNULL+kEDH+TLSv1.2
ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256
IIRC Nico Williams tried to raise this issue for me on the TLS WG
mailing list, but did not get much support. Any chance you're
willing to help? I think the AECDH cipher-suites deserve some more
TLC.
--
Viktor.
More information about the cryptography
mailing list