[tor-bugs] #18129 [Tor Messenger]: Investigate chosen ciphersuite
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jan 23 07:47:47 UTC 2016
#18129: Investigate chosen ciphersuite
---------------------------+---------------------
Reporter: arlolra | Owner:
Type: defect | Status: new
Priority: High | Milestone:
Component: Tor Messenger | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
---------------------------+---------------------
Comment (by yawning):
Replying to [comment:6 arlolra]:
> It's been suggested that the server doesn't do server side ordering, so
whatever the client presents first gets picked, meaning Instantbird is
ordered to use AES128-SHA-128 first :(
Nope. because...
> Next step is to record the client hello in wireshark to see what it's
presenting, to be sure. And then figure out why ...
{{{
Cipher Suites Length: 22
Cipher Suites (11 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) <---
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
}}}
As far as I can tell, they don't support any of the ECDHE suites. The
right thing to do would be for them to catch up to current best practice
and enable said suites. The "we already have worse enabled" fix on the
Tor Messenger side is to enable `TLS_RSA_WITH_AES_128_GCM_SHA256` and
`TLS_RSA_WITH_AES_256_GCM_SHA384` after the `TLS_DHE_` suits, but before
the rest of the other `TLS_RSA_` suites.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18129#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list