[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Hanno Böck
hanno at hboeck.de
Tue Dec 16 02:02:29 UTC 2014
On Mon, 15 Dec 2014 17:36:40 -0800
Ryan Sleevi <rsleevi at chromium.org> wrote:
> > > * Server operator uses apache+openssl wiht cipher string
> > > "HIGH:!MEDIUM:!LOW:!aNULL at STRENGTH". This seems reasonable.
> > > Only HIGH security ciphers and sort them by strength.
> > > * Browser (Chrome or Firefox) will take the first preferred cipher
> > > suite it supports. As it doesn't support AES-GCM-256 it will
> > > choose AES-CBC_256.
> >
>
> This isn't an accurate description of the flow.
>
> The client advertises its set of ciphersuites in the client hello. The
> server is responsible for choosing the ciphersuite used, and may take
> either client priority into consideration (e.g. if the client is a
> constrained device, it might intentionally prefer a
> weaker-but-efficient algorithm; this was classically true for 3DES
> and RC4) or it may ignore this and choose at the server level. For
> example, with Apache,
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder
Ah, sorry, of course you're right.
My analysis of the situation was wrong, however it doesn't really
change the outcome: There are a number of sites probably configured in
good faith with secure settings that result in CBC being preferred over
GCM.
(But good to note that a quick fix is to disable SSLHonorCipherOrder
on affected apache servers)
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mta.opensslfoundation.net/pipermail/openssl-dev/attachments/20141216/dac4fc66/attachment.sig>
More information about the openssl-dev
mailing list