Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th September 2015
e1-531g e1-531g is offline
ISO Quartermaster
Join Date: Mar 2014
Posts: 587
Default Strong cipher config for relayd

I have discovered web page:
It containst exaples of cipher configs for popular software like Ngix, Apache and Lighttpd.
I think it is a good idea to post also config for relayd in TLS Accelerator Proxy mode. For educational purposes for others and also as promotional material for OpenBSD
So maybe somebody with experience in this field share example secure config for relayd?
Reply With Quote
  #2   (View Single Post)  
Old 5th September 2015
Posts: n/a

The cipher suite strings used by relayd are the same as those used by httpd, the standard `openssl ciphers` style. The strings from the aforementioned web page will work, too.

I'd generally use something like this?

tls ciphers "HIGH:!aNULL:!SSLv3:!DSS:!ECDSA:!RSA:-ECDH:ECDHE:+SHA384:+SHA256"
tls cipher-server-preference
tls no client-renegotiation
It gives an order of preference that makes sense to me:

DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
In httpd, you have to use the dhe keyword for this suite selection to make sense. I'm not sure if the edh keyword is needed in relayd, EDH is usually only used in reference to old cipher suites which aren't included here.

It excludes SHA and DSA-based ciphers, non-PFS ciphers, and moves CBC-based ciphers to the back of the list.

It prefers discrete logarithm-based crypto over elliptic curves. Unfortunately, it seems questionable whether the current elliptic curves used in TLS are entirely trustworthy (see safecurves), but Firefox requires ECDHE if you want perfect forward secrecy.

I'm not sure how much all of this helps. If you're tweaking cipher suites beyond relayd's defaults, it would seem you're working against institutions of great power, for which TLS seems woefully inadequate. For most purposes, the defaults should be fine.

Last edited by Scarletts; 5th September 2015 at 03:18 AM.
Reply With Quote

cipherlist, openbsd, relayd, strong cipher setting

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD 5.4 : layer 7 filtering, playing with pf and relayd wesley OpenBSD Security 1 26th November 2013 02:54 PM
OpenBSD 5.4 : Layer 7 filtering, playing with pf and relayd wesley Guides 1 26th November 2013 07:50 AM
relayd gpatrick OpenBSD General 0 8th May 2012 10:10 PM
relayd gpatrick OpenBSD General 1 16th January 2010 12:19 AM
relayd won't work with multiple relays d0z3r OpenBSD General 0 26th June 2008 09:58 AM

All times are GMT. The time now is 07:36 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick