HomePhabricator

ssl_ciphersuite: limit ECDH curves where possible
1811def52602Unpublished

Unpublished Commit · Learn More

Publishing Disabled: All publishing is disabled for this repository.

Description

ssl_ciphersuite: limit ECDH curves where possible

This removes support for secp384r1 and secp521r1 in the common
case (jessie+nginx), possibly other lesser-known curves on
trusty+nginx? Apache doesn't have an easy way to configure this
at all.

The two curves mentioned above are expensive relative to the
default secp256r1, which is sufficient for today's pragmatic
security margins. They're also virtually never used (except
occasional artificial probing) in our stats. At best, they're a
vector for trying to consume CPU on our terminators, and at worst
they're vectors for unknown weaknesses, being so little used and
therefore studied in the TLS context.

X25519 is of course our first preference on installs which have a
new-enough libssl. If the world moves towards larger ECDH curves
in the future, it will likely be in the direction of X448 instead
of the legacy ones anyways, assuming newer PQ-Crypto algs don't
overtake the scene before that's necessary.

Change-Id: I4b5f4261f3538bee3bd4b413d34aef7925e1b3ae