-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS versions and ciphers #253
Comments
Related with a different recommendation: https://cipherli.st/. |
I love the idea of synchronising ourselves with the Mozilla recommendations. Mozilla offers the recommendation in JSON, as static or rolling. For instance: |
@fredericmoulins, I have assigned myself on this one, but I am happy if you want to do it. |
Yes, I will try it soon. I had notes already on where and what to change. Not sure yet which way to use the JSON definition, but will try something. |
OK. I think there are Ansible filters to parse JSON, good luck! |
I am going to focus on the other project, the relay vpn to provide a static IP address to those who have a dynamic one. So you have the free hands on this one. Ideally, it would be nice to have the option to automatically check the ciphers to use every month or so. |
On the basis of #294, there are two points I would like to discuss:
For the server's cipher preferred order, Mozilla currently recommends not forcing the server's order for the Intermediate profile. They got there through a long discussion : mozilla/server-side-tls#178. From what I recall, preferring the server's cipher order in this configuration does not make an significant difference security-wise, and it allows clients to choose ciphers for which they have been optimized. About the usage of the recommendation in JSON format, as they recommend, I agree with the usage of a specific version (5.0 in #294). What do you think? |
I agree about taking the certificates in the HomeBox git repository. |
Mozilla maintains a configuration recommendation for TLS:
Three profiles are defined: Modern (no backward compatibility), Intermediate (general purpose), Old (backward compatibilty with very old clients).
The intermediate profile consist of TLS 1.3 with all ciphers, and TLS 1.2 with a selection of ciphers. The global ciphers order is also important.
Currently, the main servers in homebox have different TLS configuration profiles:
Would it be ok to configure the Intermediate profile for the different servers in homebox, or are there cases where more compatibility is needed (eg postfix)?
Then, as the recommendation has evolved in the past few years, it might probably evolve the same way in the years to follow. Unfortunately, those profiles are not available as cipher specs in openssl for example, and the
HIGH
,MEDIUM
,LOW
specs are far from the same criteria, so it's not possible to configure anIntermediate
spec and let the openssl updates take care of the selection.How does homebox allow to stay up to date?
Mozilla's recommendations are also maintained as JSON files with a nice warning about compatibility on updates. This could be used to at least issue an alert that the current server configuration is no longer recommended so that admins can admin, or maybe to take the risk of automatically updating the configurations.
The debian updates will happen every ~ 3 years (~ 5 years using LTS). A run of the homebox playbooks will surely occur to update or reinstall, that could be considered sufficient to get the new configuration. (Let's say that TLSv1.2 or one of its ciphers gets broken in 12 ~ 18 month, is it ok to wait for the buster+1 release in 2022 and trust the security updates mitigations if any until then?)
The text was updated successfully, but these errors were encountered: