Bug#945049: gnutls: Please prefer PFS ciphers over plain RSA ones.

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Mon Nov 18 22:55:18 GMT 2019 

Package: gnutls28
Version: 3.6.7-4
Severity: important

Assuming the client program did not specify a cipher list we end up with
NORMAL and this can be display via
	gnutls-cli --list --priority NORMAL

If we strip TLS1.3 and ECDHE away (because the remote side does not support
it) then we end up with:

|TLS_RSA_AES_256_GCM_SHA384                              0x00, 0x9d      TLS1.2
|TLS_RSA_AES_256_CCM                                     0xc0, 0x9d      TLS1.2
|TLS_RSA_AES_256_CBC_SHA1                                0x00, 0x35      TLS1.0
|TLS_RSA_AES_128_GCM_SHA256                              0x00, 0x9c      TLS1.2
|TLS_RSA_AES_128_CCM                                     0xc0, 0x9c      TLS1.2
|TLS_RSA_AES_128_CBC_SHA1                                0x00, 0x2f      TLS1.0
|TLS_DHE_RSA_AES_256_GCM_SHA384                          0x00, 0x9f      TLS1.2
|TLS_DHE_RSA_CHACHA20_POLY1305                           0xcc, 0xaa      TLS1.2
|TLS_DHE_RSA_AES_256_CCM                                 0xc0, 0x9f      TLS1.2
|TLS_DHE_RSA_AES_256_CBC_SHA1                            0x00, 0x39      TLS1.0
|TLS_DHE_RSA_AES_128_GCM_SHA256                          0x00, 0x9e      TLS1.2
|TLS_DHE_RSA_AES_128_CCM                                 0xc0, 0x9e      TLS1.2
|TLS_DHE_RSA_AES_128_CBC_SHA1                            0x00, 0x33      TLS1.0

as possible candidates. If the server has no preference then we
negotiate TLS_RSA_AES_256_GCM_SHA384. It would be ideal to send first
the DHE ciphers and then the non-DHE ciphers. The ECDHE cipher come
first so it would be make sense to send the DHE ciphers before the plain
RSA.

There is documentation how the ciphers can be overriden but this does
not work as I would expect it. Or I failed at somepoint. I added:

|$ cat /etc/gnutls/config
|[priorities]
|SYSTEM = PFS:SECURE128:SECURE192
|NORMAL = PFS:SECURE128:SECURE192

but the output of
	gnutls-cli --list --priority NORMAL

remains unchanged. However using
	gnutls-cli --list --priority @NORMAL

gives me the PFS ones fist since the application uses NORMAL by default,
this does not help (as by chaning system defaults).

Could the DHE ciphers please be moved up (preferable 1.2 ciphers first,
followed by 1.0 but I guess this makes no change unless ciphers were
removed on the remote side) in the default ciphers list? Using a config
file would work (I guess) but having this by default would be better
security wise I suppose.

Sebastian

More information about the Pkg-gnutls-maint mailing list