Envoy: Envoy does not run when setting this cipher suites

Created on 13 May 2019  路  8Comments  路  Source: envoyproxy/envoy

Envoy does not run when setting this cipher suites
Last dev build of 15/5/2019

I want to be able to use this two cipher_suites::

  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384

BoringSSL supports it, I don't know why envoy throw an error when i try it.

I'm using this ciphers, but the last two are weak.
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA"

As additional info I'm running this curves:
"P-521",
"P-384",
"P-256"

I don't know any other strong ciphers with compatibility with windows 8 or ios7.
Its important for me to fix this.

Any help ?
I think its a bug, not a question.
The line between both is very narrow.

question
Source
picture filipeandre

All 8 comments

Hi @dio. Isn't it a bug?

filipeandre picture filipeandre on 15 May 2019

Which version of Envoy are you running? cc @PiotrSikora

lizan picture lizan on 15 May 2019

Which version of Envoy are you running? cc @PiotrSikora

@lizan I'm running envoyproxy/envoy-alpine-dev:6dd4b6f83119e6b284f95ed9c74e4dfcbb4efc8c daily release.

filipeandre picture filipeandre on 15 May 2019

BoringSSL doesn't support those cipher suites:

$ bssl ciphers -openssl-name ALL
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-PSK-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-PSK-AES128-CBC-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
ECDHE-PSK-AES256-CBC-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA
PSK-AES128-CBC-SHA
AES256-SHA
PSK-AES256-CBC-SHA
DES-CBC3-SHA
PiotrSikora picture PiotrSikora on 15 May 2019

@PiotrSikora Thanks for the info! Maybe there is a way to compile and to support it?
I see the ECDH HMAC based ciphersuites from RFC5289 defined in tls1.h.

filipeandre picture filipeandre on 15 May 2019

No, BoringSSL does not support them. There is no compile-time flag to restore them, nor do we have any plans to add one. That file has a ton of constants lying around that we have not yet pruned, as some code may rely on them.

While you're right that ECDHE-ECDSA-AES256-SHA and ECDHE-RSA-AES256-SHA (standard names are TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) are legacy, the cipher suites you identified not strong.

All CBC-mode ciphers in TLS are vulnerable to the Lucky 13 attack, due to a flaw in the ordering between encryption and MAC. ECDHE-ECDSA-AES256-SHA384 and ECDHE-RSA-AES256-SHA384 (standard names are TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) switched HMAC-SHA-1 to HMAC-SHA-384, but SHA-1 was not the main problem with those ciphers.

The only strong cipher suites in TLS 1.2 are ECDHE paired with an AEAD bulk cipher (one based on AES-GCM or ChaCha20-Poly1305). Everything else is legacy and should be phased out over time.

davidben picture davidben on 15 May 2019
👍1

Thank you very much everybody for elucidating me.

filipeandre picture filipeandre on 15 May 2019

@filipeandre no, there is no support for those cipher suites.

PiotrSikora picture PiotrSikora on 15 May 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

justConfused picture justConfused  路  3Comments
zanes2016 picture zanes2016  路  3Comments
anatolebeuzon picture anatolebeuzon  路  3Comments
jmillikin-stripe picture jmillikin-stripe  路  3Comments
lps0535 picture lps0535  路  3Comments