| Author |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
 Posted: Fri 06 Nov '15 15:53 Post subject: |
 |
|
it is true that these browsers use the 256 bit cypher, but not HTTP/2 in that case. For now it is 256 bit or HTTP/2.
As I wrote: I want both  |
|
| Back to top |
|
o6asan
Joined: 27 Aug 2015
Posts: 44
Location: Japan, Fukuoka
|
| Posted: Fri 06 Nov '15 16:58 Post subject: |
|
|
| James Blond wrote: | it is true that these browsers use the 256 bit cypher, but not HTTP/2 in that case. For now it is 256 bit or HTTP/2.
As I wrote: I want both |
I installed HTTP/2 and SPDY indicator to Chrome and Firefox. When I access my site by them, they display blue indicator on the address bar.
By F12 on Windows10, we can see the protocol which the IE actually use.
They are an evidence, aren't they?
Apache hasn't showed HTTP/2.0 on its log, yet. I knew about it when I set to deny HTTP/1.0 on the htaccess. So, at this point we cannot know that web browsers use HTTP/2 or not by Apache.
What way do you take to check browsers use HTTP/2 or not? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Fri 06 Nov '15 18:07 Post subject: |
|
|
I used your settings from your blog. And I use the SPDY indicator as well. Sure it uses the mod_http2 but only 128 bit encryption.
I doubt that you can do HTTP/2 and 256 bit. However if you can prove if with a link that I can test then I would be very glad and would like to have the working config. |
|
| Back to top |
|
o6asan
Joined: 27 Aug 2015
Posts: 44
Location: Japan, Fukuoka
|
| Posted: Fri 06 Nov '15 19:44 Post subject: |
|
|
I don't know how to get the actual cipher when I use IE11.
So, the following cipher I got from ssl_request.log.
| Quote: | | IE11 on Windows10 x86 uses ECDHE-RSA-AES256-GCM-SHA384. |
When I accessed my site by IE11 on Windows10, the cipher was left on the log. At the same time I saw the protocol by F12, which was HTTP/2.
By the way, Steffen wrote Apache httpd 2.4.18-dev available (updated mod-http2).
Its Changelog says:
| Quote: | | *) 'HTTP/2.0' is written in log files when requests are served via mod_http2. |
It might be useful. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Fri 15 Jan '16 7:22 Post subject: Re: Any chance to have a 256 cipher for http2 ? |
|
|
| James Blond wrote: | | is there any chance to have a 256 cipher instead of ECDHE-RSA-AES128-GCM-SHA256 ? |
Actually, there is one that is supported by Chrome, but not by Firefox: ECDHE-RSA-CHACHA20-POLY1305:
| Code: | _SERVER["SSL_CIPHER_USEKEYSIZE"] 256
_SERVER["SSL_CIPHER"] ECDHE-RSA-CHACHA20-POLY1305 |
The bummer: it can only be compiled in X86 for Windows. I did this for VC9 and VC14. x64 builds failed for VC11 and VC14. The reason can be found here:
https://codereview.chromium.org/27510015/diff/207001/nss/lib/freebl/chacha20/chacha20_vec.c#newcode19 (open the 3 messages)
| Quote: | | This file and poly1305-donna-x64-sse2-incremental-source.c don't compile on Windows when targeting x64. |
The problem line is this one:
https://github.com/PeterMosmans/openssl/blob/1.0.2-chacha/crypto/chacha/chacha_vec.c#L67
However, there are MingW x64 binaries available:
http://www.onwebsecurity.com/cryptography/openssl
My x86 builds:
https://phpdev.toolsforresearch.com/openssl-1.0.2e-chacha-fips-2.4.18-x86-vc14.zip
https://phpdev.toolsforresearch.com/openssl-1.0.2e-chacha-fips-2.4.18-x86-vc9.zip
Out of a habit I compiled with FIPS support, but the compilation of a fork is not FIPS compliant. Besides that: if you configure Apache with 'SSLFIPS on' the ChaCha20 ciphers are excluded.
My SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Note the absence of ECDHE-RSA-AES128-GCM-SHA256!
SSLLabs reports this about Firefox:
Firefox 42 / OS X
Server negotiated HTTP/2 with blacklisted suite
TLS 1.2 > h2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Firefox 43 on Windows chooses ECDHE-RSA-AES256-SHA ,without HTTP/2 support.
Well, the RFC does not mention the ChaCha20 ciphers.
Last edited by Jan-E on Sat 16 Jan '16 23:03; edited 2 times in total |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Fri 15 Jan '16 7:32 Post subject: |
|
|
You'll have to choose between HTTP/2 support for Firefox or 256-bits only. If you include ECDHE-RSA-AES128-GCM-SHA256 after ECDHE-RSA-CHACHA20-POLY1305, Chrome goes for ChaCha and Firefox for the 128-bits GCM.
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
BTW. I was inspired by https://www.ssllabs.com/ssltest/analyze.html?d=moneromerchant.com&s=104.28.23.243
| Quote: | | This server prefers ChaCha20 suites with clients that don't have AES-NI (e.g., Android devices) |
The strange thing is that SSLlabs reports support for TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 at moneromerchant.com. That should be ECDHE-ECDSA-CHACHA20-POLY1305. This cipher is in my ssleay32.dll and 1st in my ciphersuite, but SSLLabs does not report it. Is that cipher excluded by Apache?
Edit Found the answer on page 13 of http://csrc.nist.gov/groups/ST/ecc-workshop-2015/presentations/session2-andrews-rick.pdf
To support ECDHE-ECDSA-CHACHA20-POLY1305 I will need to install a DSA certificate:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#comment_970 |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Fri 15 Jan '16 13:25 Post subject: |
|
|
I don't think that it is an apache thing.
I run C:\Users\mario\Apache24\bin>openssl ciphers
and don't see any POLY. ( see http://pastebin.com/KRj25gmQ ) |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Fri 15 Jan '16 19:43 Post subject: |
|
|
Try the openssl.exe in one of my builds (3 messages before this one) and you will find:
| Code: | C:\>OpenSSL version
OpenSSL 1.0.2-chacha (1.0.2f-fips-dev)
C:\>OpenSSL ciphers -v
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
et cetera |
https://gist.github.com/Jan-E/a4cdeeea21e9d017fa43
Maybe you have seen Reindl Harald's comment in the Apache devel mailing list:
| Quote: | | given that AES is hardware accelerated (on client and server) these days (...) there is no compelling reason to prefer 256 bit (...) |
Anyway, you asked for a 256-bit cipher for http2 and I've found one for Chrome: ECDHE-RSA-CHACHA20-POLY1305 |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Sat 16 Jan '16 18:14 Post subject: |
|
|
| Can you please post perl Configure compiling line. Or do I just need your OSSL repo on github? Cause I wanna try it on linux, too. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Sat 16 Jan '16 21:52 Post subject: |
|
|
Just use the original ChaCha repo:
https://github.com/PeterMosmans/openssl
I only made a fork of it, because I needed a tiny change (move a declaration to the beginning of the block) to make it compile with VC9 x86 (and with VC11 x86, I guess).
Building it is the same as with the normal OpenSSL sources. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Fri 22 Jan '16 20:52 Post subject: |
|
|
| @James Blond: did you already find the time to test the ChaCha repo of OpenSSL on Linux? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Mon 25 Jan '16 18:27 Post subject: |
|
|
| You can check on https:// vserver apachehaus de |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Thu 28 Jan '16 3:43 Post subject: |
|
|
Runs fine, appararently. Too bad that the ChaCha ciphers are only accepted by Chrome and Android 5, but it is a step ahead.
For the moment, I went back to the main OpenSSL with SSLFIPS on. I wanted to test that with mod_http2.so v1.2.3 and nghttp2 from trunk (with a new tag v1.7.0) before the OpenSSL update tomorrow.
Luckily I pulled mod_http2 v.1.2.3 and nghttp2 before github went down tonight:
https://status.github.com/
| Quote: | 1:36 UTC
We're working to address a widespread issue affecting all github.com services. |
Update | Quote: | 2:29 UTC
The site is recovering. We're continuing to monitor the situation. |
nghttp2 has a new release v1.7.0, but some speed improvements (base64, percent encoding) afterwards:
https://github.com/tatsuhiro-t/nghttp2/commits/master |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Sat 26 Nov '16 10:03 Post subject: |
|
|
Can you post that config? Or did you change something in the OpenSSL Code?
I think using SSLCipherSuite is the way to disable certain offered cyphers.
| Code: |
SSLHonorCipherOrder On
SSLCipherSuite ... |
|
|
| Back to top |
|
icing
Joined: 22 Sep 2015
Posts: 41
Location: Münster, Germany
|
| Posted: Sat 26 Nov '16 15:16 Post subject: |
|
|
| James is correct that you control that with 'SSLCipherSuite ...'. But, as you probably already noticed, this affects *every* connection. There is currently no separate mechanism for different protocols, such as http/1.1 and h2. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Sat 26 Nov '16 19:47 Post subject: |
|
|
| James Blond wrote: |
Can you post that config? Or did you change something in the OpenSSL Code? |
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
| Quote: | I think using SSLCipherSuite is the way to disable certain offered cyphers.
|
SSLCipherSuite influences the ciphers that are available to any connection. I want all 6 to be offered by mod_ssl, but TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA should not be available over http/2 because it is blacklisted for that protocol. So either nghttp2 or mod_h2 should block it.
Previously, there was a long list of blacklisted ciphers in nghttp2. Now there is some method:
https://github.com/nghttp2/nghttp2/search?utf8=%E2%9C%93&q=check_http2_cipher_black_list
But shrpx_connection.cc resides in the src/ dir of nghttp2, where the client, server and proxy programs are. There is no comparable check in the lib/ dir, so nghttp2.lib does not block it.
Last edited by Jan-E on Sun 27 Nov '16 8:57; edited 1 time in total |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Sat 26 Nov '16 19:55 Post subject: |
|
|
The actual blacklist check is here:
https://github.com/nghttp2/nghttp2/blob/master/src/ssl.cc#L134
| Code: | /* Conditional logic w/ lookup tables to check if id is one of the
the black listed cipher suites for HTTP/2 described in RFC 7540.
https://github.com/jay/http2_blacklisted_ciphers
*/
#define IS_CIPHER_BANNED_METHOD2(id) \
((0x0000 <= id && id <= 0x00FF && \
"\xFF\xFF\xFF\xCF\xFF\xFF\xFF\xFF\x7F\x00\x00\x00\x80\x3F\x00\x00" \
"\xF0\xFF\xFF\x3F\xF3\xF3\xFF\xFF\x3F\x00\x00\x00\x00\x00\x00\x80" \
[(id & 0xFF) / 8] & \
(1 << (id % 8))) || \
(0xC000 <= id && id <= 0xC0FF && \
"\xFE\xFF\xFF\xFF\xFF\x67\xFE\xFF\xFF\xFF\x33\xCF\xFC\xCF\xFF\xCF" \
"\x3C\xF3\xFC\x3F\x33\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
[(id & 0xFF) / 8] & \
(1 << (id % 8))))
bool check_http2_cipher_black_list(SSL *ssl) {
int id = SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)) & 0xFFFFFF;
return IS_CIPHER_BANNED_METHOD2(id);
}
|
It should be possible to add a comparable check to either ngttp2.lib or mod_http2 or mod_ssl.
@icing: is mod_http2 even aware of the cipher id that it advertizes? |
|
| Back to top |
|
