From 027154ecf0beb544be271329e01d447ba49781f6 Mon Sep 17 00:00:00 2001 From: Jan Andre Ikenmeyer Date: Wed, 21 Nov 2018 22:04:30 +0100 Subject: [PATCH] Cleanup of default ciphersuite list * don't offer DHE ciphersuites like Chrome * don't offer AES-CBC-SHA2 like Firefox and Chrome * don't offer AES-GCM for plain RSA like Firefox * don't offer ECDSA with AES-CBC like Chrome * don't offer weak DES-CBC3-SHA * prefer AES256 over AES128 like Mozilla Modern, Safari and Edge --- components/net/connector.rs | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/components/net/connector.rs b/components/net/connector.rs index 44166bf92a9..c93f82df5e2 100644 --- a/components/net/connector.rs +++ b/components/net/connector.rs @@ -201,18 +201,11 @@ where .build(connector) } -// The basic logic here is to prefer ciphers with ECDSA certificates, Forward -// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers. +// Prefer Forward Secrecy over plain RSA, AES-GCM over AES-CBC, ECDSA over RSA. // A complete discussion of the issues involved in TLS configuration can be found here: // https://wiki.mozilla.org/Security/Server_Side_TLS const DEFAULT_CIPHERS: &'static str = concat!( - "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:", "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:", - "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:", - "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:", - "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:", - "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:", - "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:", - "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:", - "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA" + "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:", + "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA" );