Remove AES128 TLS ciphers for TLS 1.2 by default (#2528)

Removes ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256 ciphers from: - from ingress traffic getting to nginz; - from ingress-traffic getting to nginz-cannon; - and if applicable (not installed by default) backoffice (which was using a larger list of ciphers). - removes these ciphers from being used/allowed in server-to-server federation exchanges. Also removes `TLS_CHACHA20_POLY1305_SHA256` in case TLS 1.3 is active. Co-authored-by: Sebastian Willenborg <[email protected]>
wireapp · Aug 9, 2022 · cb42072 · cb42072
1 parent 35ca3fb
commit cb42072
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 21 deletions.
diff --git a/changelog.d/2-features/tls-certs-reduce-default-list b/changelog.d/2-features/tls-certs-reduce-default-list
@@ -0,0 +1 @@
+For TLS1.2, by default, remove ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256 ciphers for ingress traffic.
diff --git a/charts/backoffice/templates/configmap.yaml b/charts/backoffice/templates/configmap.yaml
@@ -127,8 +127,14 @@ data:
         ssl_session_timeout 5m;
         ssl_prefer_server_ciphers on;
         ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-
+        # NOTE: These are some sane defaults (compliant to TR-02102-2), you may want to overrride them on your own installation
+        # For TR-02102-2 see https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html
+        # As a Wire employee, for Wire-internal discussions and context see
+        # * https://wearezeta.atlassian.net/browse/FS-33
+        # * https://wearezeta.atlassian.net/browse/FS-444
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; # for TLS 1.2
+        # FUTUREWORK: upgrade nginx used for the backoffice to support ssl_conf_command (i.e. build a new backoffice-frontend), then uncomment below
+        # ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384; # for TLS 1.3
         server {
           listen {{ .Values.service.internalPort }};
 

diff --git a/charts/cannon/templates/conf/_nginx.conf.tpl b/charts/cannon/templates/conf/_nginx.conf.tpl
@@ -196,7 +196,8 @@ http {
     ssl_certificate_key /etc/wire/nginz/tls/tls.key;
 
     ssl_protocols {{ .Values.nginx_conf.tls.protocols }};
-    ssl_ciphers {{ .Values.nginx_conf.tls.ciphers }};
+    ssl_ciphers {{ .Values.nginx_conf.tls.ciphers_tls12 }}; # this only sets TLS 1.2 ciphers (and has no effect if TLS 1.2 is not enabled)
+    ssl_conf_command Ciphersuites {{ .Values.nginx_conf.tls.ciphers_tls13 }}; # needed to override TLS 1.3 ciphers.
 
     # Disable session resumption. See comments in SQPIT-226 for more context and
     # discussion.

diff --git a/charts/cannon/values.yaml b/charts/cannon/values.yaml
@@ -46,7 +46,8 @@ nginx_conf:
     # As a Wire employee, for Wire-internal discussions and context see
     # * https://wearezeta.atlassian.net/browse/FS-33
     # * https://wearezeta.atlassian.net/browse/FS-444
-    ciphers: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+    ciphers_tls12: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
+    ciphers_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
 
   # The origins from which we allow CORS requests. These are combined with
   # 'external_env_domain' to form a full url

diff --git a/charts/nginx-ingress-controller/values.yaml b/charts/nginx-ingress-controller/values.yaml
@@ -8,7 +8,9 @@ nginx-ingress:
       # As a Wire employee, for Wire-internal discussions and context see
       # * https://wearezeta.atlassian.net/browse/FS-33
       # * https://wearezeta.atlassian.net/browse/FS-444
-      ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+      #
+      # Note/FUTUREWORK: this current ingress-controller does not yet support TLS 1.3 (and its ciphers). An upgrade/different helm chart will be provided in the future.
+      ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
       http2-max-field-size: 16k
       http2-max-header-size: 32k
       proxy-buffer-size: 16k

diff --git a/docs/src/how-to/install/tls.rst b/docs/src/how-to/install/tls.rst
@@ -6,19 +6,19 @@ Configure TLS ciphers
 The following table lists recommended ciphers for TLS server setups, which should be used in wire deployments.
 
 
-============================= ======= ================= ========================
-Cipher                        Version `BSI TR-02102-2`_ `Mozilla TLS Guideline`_
-============================= ======= ================= ========================
-ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 **yes**           intermediate
-ECDHE-RSA-AES128-GCM-SHA256   TLSv1.2 **yes**           intermediate
-ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 **yes**           intermediate
-ECDHE-RSA-AES256-GCM-SHA384   TLSv1.2 **yes**           intermediate
-ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 no                intermediate
-ECDHE-RSA-CHACHA20-POLY1305   TLSv1.2 no                intermediate
-TLS_AES_128_GCM_SHA256        TLSv1.3 **yes**           **modern**
-TLS_AES_256_GCM_SHA384        TLSv1.3 **yes**           **modern**
-TLS_CHACHA20_POLY1305_SHA256  TLSv1.3 no                **modern**
-============================= ======= ================= ========================
+============================= ======= ============ ================= ========================
+Cipher                        Version Wire default `BSI TR-02102-2`_ `Mozilla TLS Guideline`_
+============================= ======= ============ ================= ========================
+ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 no           **yes**           intermediate
+ECDHE-RSA-AES128-GCM-SHA256   TLSv1.2 no           **yes**           intermediate
+ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 **yes**      **yes**           intermediate
+ECDHE-RSA-AES256-GCM-SHA384   TLSv1.2 **yes**      **yes**           intermediate
+ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 no           no                intermediate
+ECDHE-RSA-CHACHA20-POLY1305   TLSv1.2 no           no                intermediate
+TLS_AES_128_GCM_SHA256        TLSv1.3 **yes**      **yes**           **modern**
+TLS_AES_256_GCM_SHA384        TLSv1.3 **yes**      **yes**           **modern**
+TLS_CHACHA20_POLY1305_SHA256  TLSv1.3 no           no                **modern**
+============================= ======= ============ ================= ========================
 
 
 .. _bsi tr-02102-2: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf

diff --git a/services/federator/src/Federator/Remote.hs b/services/federator/src/Federator/Remote.hs
@@ -177,7 +177,5 @@ blessedCiphers =
     TLS.cipher_TLS13_AES256GCM_SHA384,
     -- For TLS 1.2 (copied from default nginx ingress config):
     TLS.cipher_ECDHE_ECDSA_AES256GCM_SHA384,
-    TLS.cipher_ECDHE_RSA_AES256GCM_SHA384,
-    TLS.cipher_ECDHE_ECDSA_AES128GCM_SHA256,
-    TLS.cipher_ECDHE_RSA_AES128GCM_SHA256
+    TLS.cipher_ECDHE_RSA_AES256GCM_SHA384
   ]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		For TLS1.2, by default, remove ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256 ciphers for ingress traffic.