|
|||
Strong cipher config for relayd
Hello
I have discovered web page: Code:
https://cipherli.st/ I think it is a good idea to post also config for relayd in TLS Accelerator Proxy mode. For educational purposes for others and also as promotional material for OpenBSD So maybe somebody with experience in this field share example secure config for relayd? |
|
|||
The cipher suite strings used by relayd are the same as those used by httpd, the standard `openssl ciphers` style. The strings from the aforementioned web page will work, too.
I'd generally use something like this? Code:
tls ciphers "HIGH:!aNULL:!SSLv3:!DSS:!ECDSA:!RSA:-ECDH:ECDHE:+SHA384:+SHA256" tls cipher-server-preference tls no client-renegotiation Code:
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 It excludes SHA and DSA-based ciphers, non-PFS ciphers, and moves CBC-based ciphers to the back of the list. It prefers discrete logarithm-based crypto over elliptic curves. Unfortunately, it seems questionable whether the current elliptic curves used in TLS are entirely trustworthy (see safecurves), but Firefox requires ECDHE if you want perfect forward secrecy. I'm not sure how much all of this helps. If you're tweaking cipher suites beyond relayd's defaults, it would seem you're working against institutions of great power, for which TLS seems woefully inadequate. For most purposes, the defaults should be fine. Last edited by Scarletts; 5th September 2015 at 03:18 AM. |
Tags |
cipherlist, openbsd, relayd, strong cipher setting |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD 5.4 : layer 7 filtering, playing with pf and relayd | wesley | OpenBSD Security | 1 | 26th November 2013 02:54 PM |
OpenBSD 5.4 : Layer 7 filtering, playing with pf and relayd | wesley | Guides | 1 | 26th November 2013 07:50 AM |
relayd | gpatrick | OpenBSD General | 0 | 8th May 2012 10:10 PM |
relayd | gpatrick | OpenBSD General | 1 | 16th January 2010 12:19 AM |
relayd won't work with multiple relays | d0z3r | OpenBSD General | 0 | 26th June 2008 09:58 AM |