Which protocols should my client support?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Which protocols should my client support?

Jeff Archer
I think this is a silly question but I still would like to get a knowledgeable and experienced confirmation of my thinking.

My client is a custom application and as such only needs to communicate with specific servers for specific purposes.  I think it makes sense for my client to only support the specific protocol that my server will use, ECDHE-RSA-AES128-GCM-SHA256.  Does this sound reasonable or should I also include others as well?

My thinking is that if the servers are changed one day, it would only be for increasing security and thus I will probably need to update to latest OpenSSL and so will be updating my app at this time anyway.  Also, since they are my companies servers, I will be notified ahead of time that change is coming.

T
​hanks,
Jeff 




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Which protocols should my client support?

Gaiseric Vandal
AES256 ?  Maybe some of the stronger SHA algorithms?





On 04/24/17 13:42, Jeff Archer wrote:
I think this is a silly question but I still would like to get a knowledgeable and experienced confirmation of my thinking.

My client is a custom application and as such only needs to communicate with specific servers for specific purposes.  I think it makes sense for my client to only support the specific protocol that my server will use, ECDHE-RSA-AES128-GCM-SHA256.  Does this sound reasonable or should I also include others as well?

My thinking is that if the servers are changed one day, it would only be for increasing security and thus I will probably need to update to latest OpenSSL and so will be updating my app at this time anyway.  Also, since they are my companies servers, I will be notified ahead of time that change is coming.

T
​hanks,
Jeff 







--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Which protocols should my client support?

OpenSSL - User mailing list
In reply to this post by Jeff Archer
> My client is a custom application and as such only needs to communicate with specific servers for specific purposes.  I think it makes sense for my client to only support the specific protocol that my server will use, ECDHE-RSA-AES128-GCM-SHA256.  Does this sound reasonable or should I also include others as well?

I would suggest you include the three main ciphers defined in TLS 1.3, as that represents the IETF's best thinking for now.  AESGCM 128, 256 and ChaCha-poly.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Which protocols should my client support?

Viktor Dukhovni

> On Apr 24, 2017, at 4:04 PM, Salz, Rich via openssl-users <[hidden email]> wrote:
>
>> My client is a custom application and as such only needs to communicate with specific servers for specific purposes.  I think it makes sense for my client to only support the specific protocol that my server will use, ECDHE-RSA-AES128-GCM-SHA256.  Does this sound reasonable or should I also include others as well?
>
> I would suggest you include the three main ciphers defined in TLS 1.3, as that represents the IETF's best thinking for now. AESGCM 128, 256 and ChaCha-poly.

A clean way to get there without being too explicit is:

        HIGH+kECDHE:!SHA:!COMPLEMENTOFDEFAULT

With OpenSSL 1.1.0 this yields:

$ openssl ciphers -v 'HIGH+kECDHE:!aNULL:!SHA:!COMPLEMENTOFDEFAULT'
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

With 1.0.2 you get:

$ openssl ciphers -v 'HIGH+kECDHE:!SHA:!COMPLEMENTOFDEFAULT'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users