trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@apache.org>
Subject Re: Proposed change in default cipher_suite list for ATS 6.0
Date Fri, 19 Jun 2015 05:05:49 GMT
+1

-Bryan

> On Jun 18, 2015, at 2:49 PM, Susan Hinrichs <shinrich@ieee.org> wrote:
> 
> We are planning on changing the default cipher_suite list as we move to ATS 6.0.  The
jira outlines the discussion on this issue https://issues.apache.org/jira/browse/TS-3136
> 
> Here is the last entry of the jira with the proposal and rationale.
> 
> Ran some tests on a production box in Y!  Based on those results, I suggest the following
cipher string.
> 
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

> 
> The upshot is that we remove RC4, add new ciphers, and rearrange the list to give preference
to cipher attributes in the following order: PFS, then GCM, then stronger SHA, then stronger
AES.  3DES is at the end to scoop up the remainders.
> 
> We tested in the Y! environment which tends to have a wide variety of clients.  Removing
RC4 did not seem to significantly impact handshake success rate.  CBC algorithms are also
concerning, but if we care about out-of-the-box experience it looks like the CBC algorithms
need to stick around for a while longer.
> 
> Here are details of the test
> 
> With Y! original cipher string
> 0.0102% ssl_error_ssl
> 
> The number of DES-CBC3-SHA sessions was negligible (45).  The Y! initial configuration
has one RC4 algorithm listed kind of early, so the RC4 percentage was around 30% as [~davet]
noted in an earlier comment.
> 
> With proposed default cipher string running for an hour
> 0.009% ssl_error_ssl
> 
> The percentage of DES-CBC3-SHA sessions grew to 0.9% of sessions. In my experiment, it
was impossible to isolate the CPU impact of this change.  To test a new cipher without updating
all the machines in the production pod, I removed the test box from the SSL session sharing
communication.  The test box experienced around a 30% increase in CPU utilization, but I think
that can be mostly attributed to increased session negotiation since it did not know about
the sessions negotiated by other machines in the pod.
> 
> We did one experiment with the RC4 ciphers added after DES-CBC3 as another measure of
how many clients are only willing to do RC4. After about an hour, 2 RC4 sessions were started.
> 
> 510932 = Total Successful Handshakes
> 
> Percentage of various cipher's negotiated
> 
> # Start with PFS/GCM ciphers.  Give slight preference to AES256 over AES128, and prefer
stronger SHA
> 0%      ECDHE-ECDSA-AES256-GCM-SHA384:
> 4.2%   ECDHE-RSA-AES256-GCM-SHA384:
> 0%      ECDHE-ECDSA-AES128-GCM-SHA256:
> 30.6% ECDHE-RSA-AES128-GCM-SHA256:
> # DHE still gives of PFS but at increased computation cost
> 0%      DHE-RSA-AES256-GCM-SHA384:
> 0%      DHE-DSS-AES256-GCM-SHA384:
> 0%      DHE-RSA-AES128-GCM-SHA256:
> 0%      DHE-DSS-AES128-GCM-SHA256:
> # CBC versions of the PFS ciphers
> 0%      ECDHE-ECDSA-AES256-SHA384:
> 30.6% ECDHE-RSA-AES256-SHA384:
> 0%      ECDHE-ECDSA-AES256-SHA:
> 27.7% ECDHE-RSA-AES256-SHA:
> 0%      ECDHE-ECDSA-AES128-SHA256:
> 0%      ECDHE-RSA-AES128-SHA256:
> 0%      ECDHE-ECDSA-AES128-SHA:
> 0.14% ECDHE-RSA-AES128-SHA:
> 0%      DHE-RSA-AES256-SHA256:
> 0%      DHE-DSS-AES256-SHA256:
> 0%      DHE-RSA-AES128-SHA256:
> 0%      DHE-DSS-AES128-SHA256:
> 0%      DHE-RSA-AES256-SHA:
> 0%      DHE-DSS-AES256-SHA:
> 0%      DHE-RSA-AES128-SHA:
> 0%      DHE-DSS-AES128-SHA:
> # No PFS, GCM
> 0.3%   AES256-GCM-SHA384:
> 0%      AES128-GCM-SHA256:
> # No PFS, CBC
> 0.2%   AES256-SHA256:
> 0%      AES128-SHA256:
> 4.8%   AES256-SHA:
> 0.5%   AES128-SHA:
> # 3DES as a last resort
> 0.9%   DES-CBC3-SHA
> 


Mime
View raw message