Negative options for SSL ciphers and ciphers with + don't pass validation. Neither of the recommended cipher options from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html pass the regex

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

The defaults don't work with Firefox 46+ #229

See the discussion on #225 for a cipher suite that works fine with HTTP/2.

I propose to change the default cipher suite from the current openssl default to a known good default that's secure and compatible with all relevant browsers.

Given that #227 has been fixed, we could just use the Mozilla recommended cipher suite in the "intermediate profile" for nginx with openssl 1.0.2 or a much shorter definition with the same level of compatibility:

EECDH+AES128:EDH+AES128:RSA+AES128:EECDH+AES256:EDH+AES256:RSA+AES256:RSA+3DES:!DSS

This expands to the following list on the router's openssl:

# Prefer 128-Bit Encryption
# with GCM
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
# or SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
# or SHA1
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
# Fallback to EDH if ECDH is not supported (requires 2048-Bit DH param)
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
# Fallback to no EDH / ECDH for 1024-Bit DH (no Forward Secrecy)
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
# The same as above for 256-Bit.
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
# Allow 112-Bit 3DES CBC SHA1 for IE 8 compatibility
DES-CBC3-SHA

The Mozilla recommended list included a few more ciphers that aren't used by any clients in the wild or are not supported by the openssl in the deis router like chachapoly.

The Mozilla recommended ciphers for immediate compatibility are:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Which expands to this list on the router's openssl:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
DES-CBC3-SHA

@sstarcher: The defaults don't work with Firefox 46+ #229

Actually they work with Firefox 49+, but the current stable version 48 is still broken.

Oh and the intermediate compatibility profile I'm talking about is listed in the Mozilla Wiki:

https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

It's compatible with: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
And incompatible with: Windows XP IE6, Java 6

The shorter definition given by me support the same clients.

The exact list of ciphers used can be expanded on the router by calling:

openssl ciphers EECDH+AES128:EDH+AES128:RSA+AES128:EECDH+AES256...

@sstarcher The definition given by me is much shorter than the one proposed by you, because it already takes into account that we're using openssl 1.0.2 and because it uses better matching keys.

@felixbuenemann You sir are 1 day ahead of me. I'll test out the latest build of the router.

@sstarcher Please re-open this issue, the new cipher list is not yet included. I was about to open an issue for that myself, but wanted to avoid duplication.

@krancour You might be interested in the discussion on this issue.

@sstarcher I'm working on a PR to solve this, so it should hopefully be fixed soon.

As has been noted in #225, if the cipher suite isn't explicitly specified, OpenSSL's default list of ciphers is used. It's been suggested that a specific set be specified.

I have one word of caution regarding that suggestion...

With each release of the router component, there is the potential for a newer version of OpenSSL than in the previous release (this would happen naturally as the deis/base image evolves). This means the default set of ciphers evolves and strengthens over time with no action on our part.

If we explicitly override that, we will momentarily be the most secure we have ever been, but that list will go stale very quickly. Keeping that list fresh over time would represent a manual maintenance burden, which if overlooked, will result in a scenario worse than if the OpenSSL defaults were just used.

Now... I'm not at all saying we shouldn't do this. But I am saying this is a concern that we should take into consideration.

@krancour That's fully reasonable, but it's also very bad that OpenSSL's default ciphers at this point in time break in the latest versions of Firefox.

@krancour It's not like new ciphers are added every day. We could already include cha-cha-poly and hope for its default inclusion in the future, but this could also break clients. So I think it's a better idea to ship a known-good list of ciphers and adapt in the future if needed.

I have been using the proposed list for at least a year and it's still up-to-date.

The list will also have to be updated in the future if new ssl vulnerabilities crop up, that render some of the currently selected ciphers insecure. In that case you will also want to disable the cipher quickly in the default list instead of waiting on an os update to fix that some time in the future.

I've created PR #231 that proposes a default cipher list which also fixes the Firefox HTTP/2 connection problems.

@krancour I think this issue can be closed, now that #231 has been merged.

tested and it works great