GNUTLS
From Lolly's Wiki
Match the required ciphers for the German BSI
For example the ciphers that are defined secure for perfect forward secrecy in that document are:
| Cipher-Suite | IANA-No. | Refenrenced | Usable until |
|---|---|---|---|
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 0xC0,0x23 | [RFC5289] | 2027+ |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 0xC0,0x24 | [RFC5289] | 2027+ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 0xC0,0x2B | [RFC5289] | 2027+ |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 0xC0,0x2C | [RFC5289] | 2027+ |
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM | 0xC0,0xAC | [RFC7251] | 2027+ |
| TLS_ECDHE_ECDSA_WITH_AES_256_CCM | 0xC0,0xAD | [RFC7251] | 2027+ |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 0xC0,0x27 | [RFC5289] | 2027+ |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 0xC0,0x28 | [RFC5289] | 2027+ |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 0xC0,0x2F | [RFC5289] | 2027+ |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 0xC0,0x30 | [RFC5289] | 2027+ |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 0x00,0x40 | [RFC5246] | 2027+ |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 0x00,0x6A | [RFC5246] | 2027+ |
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 0x00,0xA2 | [RFC5288] | 2027+ |
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 0x00,0xA3 | [RFC5288] | 2027+ |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 0x00,0x67 | [RFC5246] | 2027+ |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 0x00,0x6B | [RFC5246] | 2027+ |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 0x00,0x9E | [RFC5288] | 2027+ |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 0x00,0x9F | [RFC5288] | 2027+ |
| TLS_DHE_RSA_WITH_AES_128_CCM | 0xC0,0x9E | [RFC6655] | 2027+ |
| TLS_DHE_RSA_WITH_AES_256_CCM | 0xC0,0x9F | [RFC6655] | 2027+ |
The key to the table is: TLS_(key exchange algorithms)_WITH_(ciphers)_(hash algorithms)
So to build a definition for GnuTLS that matches this requirements is:
- Some basic security settings: %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS
- Disable defaults, enable only TLSv1.2: -VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-CIPHER-ALL:-KX-ALL:-MAC-ALL:-CURVE-ALL
- Set the key exchange algorithms: +ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA
- Set the ciphers: +AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305(used by google mail, so I needed it as well)
- Set the hash algorithms: +SHA256:+SHA384:+AEAD (The +AEAD is something that is not directly seen be the list above
, but you need it for GCM)
- Set the wanted curves from the document above: +CURVE-SECP256R1:+CURVE-SECP384R1
- Set the signature algorithm used in your certificate: +SIGN-RSA-SHA256 for me
And now put ist all together and let us see what happens:
$ gnutls-cli --list CIPHER --priority '%SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-KX-ALL:-CIPHER-ALL:-MAC-ALL:-CURVE-ALL:-SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+SHA256:+SHA384:+AEAD:+CURVE-SECP256R1:+CURVE-SECP384R1:+SIGN-RSA-SHA256'
Cipher suites for %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-KX-ALL:-CIPHER-ALL:-MAC-ALL:-CURVE-ALL:-SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+SHA256:+SHA384:+AEAD:+CURVE-SECP256R1:+CURVE-SECP384R1:+SIGN-RSA-SHA256
TLS_ECDHE_RSA_AES_256_CBC_SHA384 0xc0, 0x28 TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA256 0xc0, 0x27 TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 0xc0, 0x23 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.2
TLS_DHE_DSS_AES_256_GCM_SHA384 0x00, 0xa3 TLS1.2
TLS_DHE_DSS_AES_128_GCM_SHA256 0x00, 0xa2 TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
Certificate types: CTYPE-X.509
Protocols: VERS-TLS1.2
Compression: COMP-NULL
Elliptic curves: CURVE-SECP256R1, CURVE-SECP384R1
PK-signatures: SIGN-RSA-SHA256
As you can see it is not all what we would expect, but is faces all what is implemented and can be used with our restrictions in GnuTLS. As far as I know: that's it!
