Jump to content


Photo

TLS Cipher Strings


  • Please log in to reply
No replies to this topic

#1 Michael Schindler

Michael Schindler

    Active Member

  • uniGUI Subscriber
  • PipPipPip
  • 95 posts

Posted 06 June 2017 - 02:21 PM

Hi there,

 

some of our customers are afraid about using RC4 in the cipher settings of our uniGUIServer. While the default from Indy10 (which is used in uniGUI) uses RC4 we tried to find a solution.

 

In the OWASP (=open software security community) there is a cheat sheet about TLS Cipher Strings. We tried to implement the recommendations for a cipher string and we want to share this with you:

 

Here is the link to the original document: https://www.owasp.or...ing_Cheat_Sheet

 

Please read sections "Scenarios" in the link above to understand the different strength of cipher strings.

 

Option 1 is to hard code the different cipher strings and provide it with a simple function:

function GetCipherList(AStrength: Integer): WideString;
const
  cCIPHER_LIST_1: WideString = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';
  cCIPHER_LIST_2: WideString = 'DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256';
  cCIPHER_LIST_3: WideString = 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
  cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA';
  cCIPHER_LIST_5: WideString = 'DES-CBC3-SHA';

begin
  case AStrength of
    // Advanced Plus (A+)
      1: Result := cCIPHER_LIST_1;
    // Advanced (A)
      2: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2;
    // Broad Compatibility (B)
      3: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3;
    // Widest Compatibility (C)
      4: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4;
    // Legacy (C-)
      5: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4 + ':' + cCIPHER_LIST_5;
    else
      Result := EmptyStr;
  end;
end;

procedure TServerModule.UniGUIServerModuleCreate(Sender: TObject);
begin
  inherited;
  SSL.SSLOptions.CipherList := GetCipherList(1);
end;

Option 2 is to use a INI file and define the cipher string there. With this you are more flexible to quickly change the strenght and/or string itself.

 

Comments welcome!

 

Michael


  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users