DONTMERGE [common] Update ciphersuite used for securing pipe/UDS connections #1911
Conversation
…ections Previously, Gramine-SGX used MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 ciphersuite when creating TLS-secured pipes and Unix Domain Sockets. This ciphersuite is considered deprecated, thus we switch to MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (with Elliptic Curve DHE key exchange). This is recommended for Forward Security. Unfortunately mbedTLS v3.6.0 doesn't provide an ECDHE PSK based ciphersuite that has AES-GCM, but only the one with AES-CBC. For the lack of options, we use the AES-CBC one. DONTMERGE: - This hampers performance of applications that use pipes/UDSes a lot. - Serialization of TLS sessions (during fork) is broken because our patch only works for GCM mode (only checkpoints CTR counter). Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii@intel.com>
There was a problem hiding this comment.
Reviewable status: 0 of 2 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners
a discussion (no related file):
Also see this discussion: Mbed-TLS/mbedtls#8170
There was a problem hiding this comment.
Reviewable status: 0 of 2 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners (waiting on @dimakuv)
a discussion (no related file):
A crypto expert from Intel tells me that mbedTLS seems to follow these two RFCs exactly (which also don't have PSK + ECDHE + GCM combination defined):
Since there's no ECDHE + GCM combination, the crypto expert recommends to use TLS_DHE_PSK_WITH_AES_128_GCM_SHA256. I.e. not ECDHE but DHE. This ciphersuite is available in mbedTLS and should be performant.
|
As explained by @mpg in #1918 (comment), there is no deprecation of the currently-used |
Description of the changes
Previously, Gramine-SGX used MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 ciphersuite when creating TLS-secured pipes and Unix Domain Sockets. This ciphersuite is considered deprecated, thus we switch to MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (with Elliptic Curve DHE key exchange). This is recommended for Forward Security.
Unfortunately mbedTLS v3.6.0 doesn't provide an ECDHE PSK based ciphersuite that has AES-GCM, but only the one with AES-CBC. For the lack of options, we use the AES-CBC one.
DONTMERGE:
There is an alternative PR that uses DHE: #1918
More info see also in Mbed-TLS/mbedtls#8170
How to test this PR?
CI is enough.
CI currently fails on forking apps, because serialization of TLS sessions doesn't work correctly. That's because of our minimalistic patch.
This change is