- edited description
Vulnerability in TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
In https://bitbucket.org/openid/fapi/issues/685/use-of-tls-12-ciphers#comment-66826146 Tom Jones mentioned this page:
https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_128_GCM_SHA256/
which suggests that that TLS cipher (which is one of the 4 required in FAPI1/2) has issues.
https://www.rfc-editor.org/rfc/rfc9325.html#appendix-A (the update to the TLS BCP which has been published since FAPI1 went to final) seems to mention “Dropped TLS_DHE_RSA_WITH_AES from the recommended ciphers”.
I’ve not researched this enough to have a recommendation but it seems worth checking before FAPI2 goes final. I’m not sure what we could/would do about FAPI1.
Comments (8)
-
reporter -
ALSO APPLIES to any TLS_DHE_RSA_WITH_**** There is just one other that applies here i believe
-
Maybe useful in this context: The current (albeit several years old) recommendations by NIST seem to allow the use of
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
. The German BSI’s (basically the German counterpart to NIST) recommendations, dated Jan. 2024, list theTLS_DHE_***
suites as “only use until 2029”. -
based on messages from NSA I expect that TLS_DHE_RSA_*** to be automatically deprecated this year when the PQ modes are officially sanctioned by NIST for US gov’t use.
Where deprecated means no new applications will be accepted, but existing ones can continue in operation.
FAPI could deprecate them in the same manner as of the release of this doc.
-
Hi,
BPC195 already says these ciphers are recommended, why don’t we just revert to BCP recommended ciphers for TLS 1.2
RB
4.2. Cipher Suites for TLS 1.2 Given the foregoing considerations, implementation and deployment of the following cipher suites is RECOMMENDED: * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
I think we should get out of the business of naming specific cipher suites.
-
I swear we had this discussion before, totally agree, we should reference BCP195.
Although, FAPI might consider overriding “recommended“ to something stronger?
-
What i have noticed, and is reported by US Medicare below - the cloud service providers like Akamai and Cloudflare are limiting what is accepted for TLS. Even the BCP may not be able to keep up with the changes that are coming over the next few years. Agility and stds based crypto suites or attack threat models are incompatible. ..tom
==================================================
Akamai, which the Blue Button 2.0 API utilizes, is making an update to their required Ciphers. This will be occurring on May 27th, 2024 for the Blue Button 2.0 API Production environment.
Our sandbox environment is currently limited to the Ciphers required in the update. This means that if apps are currently working in sandbox, they will not need to make a change.
All other developers will want to make sure that their chosen API request library and browser supports are adjusted to meet this new requirement. The new requirement is TLS 1.2 at a minimum, with TLS 1.3 recommended . We are also limiting to the following Cipher suites:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- Log in to comment