Author |
|
mrdj1024
Joined: 03 Apr 2023 Posts: 55 Location: Bridgeton,NJ,USA
|
Posted: Sat 26 Oct '24 23:25 Post subject: ECDSA question |
|
|
hello!
so i came across this "ECDSA does not encrypt or prevent someone from seeing or accessing your data, what it protects against though is making sure that the data was not tampered with"
so does this mean if we use ssl for a webserver our only option is RSA? because i always liked ecdsa because of the shorter keysizes and faster ssl handshakes,but if its not encrypting the data from packet sniffers its basically useless,so should we switch to rsa 3072 bit to get the equivalent of a p-256 key? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
|
Back to top |
|
mrdj1024
Joined: 03 Apr 2023 Posts: 55 Location: Bridgeton,NJ,USA
|
Posted: Thu 07 Nov '24 14:26 Post subject: |
|
|
thankyou very much for the detailed info! i made a new 384 key and added your conf options and got an a+ on ssllabs
does this look right?
Code: | # SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate,
# and that httpd will negotiate as the client of a proxied server.
# See the OpenSSL documentation for a complete list of ciphers, and
# ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
#SSLProxyCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 |
https://ibb.co/GdnHtDv
im on windows |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 08 Nov '24 11:04 Post subject: |
|
|
Your configuration looks good. |
|
Back to top |
|
mrdj1024
Joined: 03 Apr 2023 Posts: 55 Location: Bridgeton,NJ,USA
|
Posted: Tue 12 Nov '24 5:14 Post subject: |
|
|
according to mozilla these suites are also secure
Code: | ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 |
can these still give a a+ rating? and if so,which order should they be in to ensure best speed? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Tue 12 Nov '24 10:13 Post subject: |
|
|
DHE-RSA-AES256-GCM-SHA384, DHE-RSA-CHACHA20-POLY1305, and DHE-RSA-AES128-GCM-SHA256 have no EC (elliptic curves) and are no longer considered secure.
ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256 are still on "the good list"[1] of SSL test labs but have only 128 bits.
[1] https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices |
|
Back to top |
|
mrdj1024
Joined: 03 Apr 2023 Posts: 55 Location: Bridgeton,NJ,USA
|
Posted: Tue 12 Nov '24 14:50 Post subject: |
|
|
thankyou,so i updated my ssl conf to
Code: | SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 |
is this order correct,as i sometimes use rsa keys that are 3072 bit? |
|
Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012 Posts: 226 Location: Denver, CO USA
|
Posted: Wed 13 Nov '24 2:04 Post subject: |
|
|
Looks same as mine, except i have CHACHA listed in 2nd place
SSLCipherSuite SSL --- ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
SSLCipherSuite TLSv1.3 --- TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 |
|
Back to top |
|
mrdj1024
Joined: 03 Apr 2023 Posts: 55 Location: Bridgeton,NJ,USA
|
Posted: Wed 13 Nov '24 2:37 Post subject: |
|
|
thanks for the reply!
i'd appreciate it if someone could make me a list in the correct order so i can use both 384 ecdsa and 3072 bit rsa certs on the same server.
i dont need an a+ rating by any means but it would be nice to be able to use both types of encryption with both security and speed in mind. |
|
Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012 Posts: 226 Location: Denver, CO USA
|
Posted: Thu 14 Nov '24 22:05 Post subject: |
|
|
I have mine sorted on what I discovered to be the most secure/robust based on the research I had done. Not sure I can provide any more information than that. |
|
Back to top |
|