Update TLS ciphers and protocols for JDK 11 #41385
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit updates the default ciphers and TLS protocols that are used after the minimum supported JDK is JDK 11. The conditionals around TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer requires an unlimited JCE policy file for 256 bit cipher support and TLSv1.3 is supported in JDK 11+. New cipher support has been introduced in the newer JDK versions as well. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support.
|
Pinging @elastic/es-security |
jkakavas
approved these changes
Apr 22, 2019
| Jurisdiction Policy Files_ has been installed, the default value also includes `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, | ||
| `TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`. | ||
| Java Cryptography Architecture documentation]. Defaults to `TLS_AES_256_GCM_SHA384`, |
There was a problem hiding this comment.
Remove the CAMELLIA/CHACHA20/ARIA ones ?
| Jurisdiction Policy Files_ has been installed, the default value also includes `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, | ||
| `TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`. | ||
| Java Cryptography Architecture documentation]. Defaults to `TLS_AES_256_GCM_SHA384`, |
There was a problem hiding this comment.
tvernum
reviewed
Apr 24, 2019
| "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support | ||
| "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // PFS, hardware support | ||
| "TLS_RSA_WITH_AES_128_GCM_SHA256", // AEAD, hardware support | ||
| "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support |
There was a problem hiding this comment.
I'm curious about the precise rationale for this ordering (e.g. the top 3 all have the same attributes from your explicit criteria).
Overall, it makes sense, and I don't disagree, but for example Mozilla don't recommend TLS_AES_256_GCM_SHA384 in their Modern list (because they only recommend EC), and it's on their intermediate list, but way down the bottom (partly because the don't worry about hardware support for intermediate compat).
However OWASP put that same cipher as their number 1 recommendation.
I'm not going to even attempt to adjudicate that argument, but I think this is the place to be explicit about our reasoning so we can refer back to it, if the need arises in the future.
There was a problem hiding this comment.
My rationale about that is TLSv1.3 is better than TLSv1.2 and TLSv1.3 requires a TLSv1.3 cipher suite and can not use a TLSv1.2 cipher suite, so we define the TLSv1.3 cipher suite first. TLSv1.3 removes the key exchange method from the cipher suite and only supports DHE/ECDHE. Mozilla's list looks to be outdated in that it is still geared towards Java 8 and has not been updated for TLSv1.3.
This is something that I missed in the work to enable TLSv1.3 for 7.0 and will open a different PR that brings this work back to 7.x versions to correct this.
There was a problem hiding this comment.
To go even further:
- Forward secrecy was considered next as we don't want a recorded TLS session to be able to be decrypted.
- Strong symmetric encryption is also preferred (ie 256 bit over 128 bit)
- ECDSA is preferred over RSA due to its ability to scale in terms of performance and key size. RSA needs much bigger keys to achieve the same level of security as ECDSA.
- AEAD is preferred over CBC due to weaknesses in CBC mode like padding oracles
- SHANNN is preferred over
SHAsince SHA-2 overcomes issues in SHA-1
tvernum
approved these changes
Apr 26, 2019
tvernum
reviewed
Apr 30, 2019
| @@ -126,7 +126,7 @@ public Settings nodeSettings(int nodeOrdinal) { | |||
|
|
|||
| Settings.Builder builder = Settings.builder() | |||
| .put(XPackSettings.SECURITY_ENABLED.getKey(), true) | |||
| .put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO) | |||
| .put(NetworkModule.TRANSPORT_TYPE_KEY, SecurityField.NIO)//randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO) | |||
There was a problem hiding this comment.
I assume this is left over debugging?
There was a problem hiding this comment.
Thanks for pointing it out. It was leftover from debugging and getting help from @tbrooks8
|
@elasticmachine run elasticsearch-ci/1 |
jaymode
added a commit
that referenced
this pull request
May 2, 2019
This reverts commit 315c971 due to CI failures related to this change. Some of the failures are due to JDK bugs related to TLSv1.3 such as JDK-8213202 and an endless loop in the HttpsServer when the client closes in a certain manner.
jaymode
added a commit
to jaymode/elasticsearch
that referenced
this pull request
May 3, 2019
This commit updates the default ciphers and TLS protocols that are used after the minimum supported JDK is JDK 11. The conditionals around TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer requires an unlimited JCE policy file for 256 bit cipher support and TLSv1.3 is supported in JDK 11+. New cipher support has been introduced in the newer JDK versions as well. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support.
jaymode
added a commit
that referenced
this pull request
May 7, 2019
* Update TLS ciphers and protocols for JDK 11 (#41385) This commit updates the default ciphers and TLS protocols that are used after the minimum supported JDK is JDK 11. The conditionals around TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer requires an unlimited JCE policy file for 256 bit cipher support and TLSv1.3 is supported in JDK 11+. New cipher support has been introduced in the newer JDK versions as well. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support. * Fixes for TLSv1.3 on JDK11 * fix for JDK-8212885
jasontedor
pushed a commit
that referenced
this pull request
May 7, 2019
* Update TLS ciphers and protocols for JDK 11 (#41385) This commit updates the default ciphers and TLS protocols that are used after the minimum supported JDK is JDK 11. The conditionals around TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer requires an unlimited JCE policy file for 256 bit cipher support and TLSv1.3 is supported in JDK 11+. New cipher support has been introduced in the newer JDK versions as well. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support. * Fixes for TLSv1.3 on JDK11 * fix for JDK-8212885
cam72cam
pushed a commit
to cam72cam/elasticsearch
that referenced
this pull request
May 9, 2019
* Update TLS ciphers and protocols for JDK 11 (elastic#41385) This commit updates the default ciphers and TLS protocols that are used after the minimum supported JDK is JDK 11. The conditionals around TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer requires an unlimited JCE policy file for 256 bit cipher support and TLSv1.3 is supported in JDK 11+. New cipher support has been introduced in the newer JDK versions as well. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support. * Fixes for TLSv1.3 on JDK11 * fix for JDK-8212885
jaymode
added a commit
to jaymode/elasticsearch
that referenced
this pull request
May 10, 2019
This commit updates the default ciphers and TLS protocols that are used when the runtime JDK supports them. New cipher support has been introduced in JDK 11 and 12 along with performance fixes for AES GCM. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support. When available stronger encryption is preferred for a given cipher. This is a backport of elastic#41385 and elastic#41808. There are known JDK bugs with TLSv1.3 that have been fixed in various versions. These are: 1. The JDK's bundled HttpsServer will endless loop under JDK11 and JDK 12.0 (Fixed in 12.0.1) based on the way the Apache HttpClient performs a close (half close). 2. In all versions of JDK 11 and 12, the HttpsServer will endless loop when certificates are not trusted or another handshake error occurs. An email has been sent to the openjdk security-dev list and elastic#38646 is open to track this. 3. In JDK 11.0.2 and prior there is a race condition with session resumption that leads to handshake errors when multiple concurrent handshakes are going on between the same client and server. This bug does not appear when client authentication is in use. This is JDK-8213202, which was fixed in 11.0.3 and 12.0. 4. In JDK 11.0.2 and prior there is a bug where resumed TLS sessions do not retain peer certificate information. This is JDK-8212885. The way these issues are addressed is that the current java version is checked and used to determine the supported protocols for tests that provoke these issues.
jaymode
added a commit
that referenced
this pull request
May 20, 2019
This commit updates the default ciphers and TLS protocols that are used when the runtime JDK supports them. New cipher support has been introduced in JDK 11 and 12 along with performance fixes for AES GCM. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support. When available stronger encryption is preferred for a given cipher. This is a backport of #41385 and #41808. There are known JDK bugs with TLSv1.3 that have been fixed in various versions. These are: 1. The JDK's bundled HttpsServer will endless loop under JDK11 and JDK 12.0 (Fixed in 12.0.1) based on the way the Apache HttpClient performs a close (half close). 2. In all versions of JDK 11 and 12, the HttpsServer will endless loop when certificates are not trusted or another handshake error occurs. An email has been sent to the openjdk security-dev list and #38646 is open to track this. 3. In JDK 11.0.2 and prior there is a race condition with session resumption that leads to handshake errors when multiple concurrent handshakes are going on between the same client and server. This bug does not appear when client authentication is in use. This is JDK-8213202, which was fixed in 11.0.3 and 12.0. 4. In JDK 11.0.2 and prior there is a bug where resumed TLS sessions do not retain peer certificate information. This is JDK-8212885. The way these issues are addressed is that the current java version is checked and used to determine the supported protocols for tests that provoke these issues.
gurkankaymak
pushed a commit
to gurkankaymak/elasticsearch
that referenced
this pull request
May 27, 2019
This commit updates the default ciphers and TLS protocols that are used after the minimum supported JDK is JDK 11. The conditionals around TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer requires an unlimited JCE policy file for 256 bit cipher support and TLSv1.3 is supported in JDK 11+. New cipher support has been introduced in the newer JDK versions as well. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support.
gurkankaymak
pushed a commit
to gurkankaymak/elasticsearch
that referenced
this pull request
May 27, 2019
This reverts commit 315c971 due to CI failures related to this change. Some of the failures are due to JDK bugs related to TLSv1.3 such as JDK-8213202 and an endless loop in the HttpsServer when the client closes in a certain manner.
gurkankaymak
pushed a commit
to gurkankaymak/elasticsearch
that referenced
this pull request
May 27, 2019
* Update TLS ciphers and protocols for JDK 11 (elastic#41385) This commit updates the default ciphers and TLS protocols that are used after the minimum supported JDK is JDK 11. The conditionals around TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer requires an unlimited JCE policy file for 256 bit cipher support and TLSv1.3 is supported in JDK 11+. New cipher support has been introduced in the newer JDK versions as well. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support. * Fixes for TLSv1.3 on JDK11 * fix for JDK-8212885
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit updates the default ciphers and TLS protocols that are used
after the minimum supported JDK is JDK 11. The conditionals around
TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer
requires an unlimited JCE policy file for 256 bit cipher support and
TLSv1.3 is supported in JDK 11+. New cipher support has been introduced
in the newer JDK versions as well. The ciphers are ordered with PFS
ciphers being most preferred, then AEAD ciphers, and finally those with
mainstream hardware support.