Development discussions
reseed server TLS 1.3 preparation « Reseeding « I2P Development
Sun, 06 Jan 2019, 09:23am #1
I2P Legend

Since Java 7 has reached end of free public updates, and java 8 supports TLS 1.2 I would like to propose some changes on your reseed server:

* disable TLS 1.0 and TLS 1.1
* enable only TLS 1.2 with good ciphers
* and maybe TLS 1.3, if your system supports it (Java 11 adds support for TLSv1.3)

Check your system for TLS 1.3 support:

$ openssl version
OpenSSL 1.1.1a

$ openssl ciphers -s -stdname -V -tls1_3
0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
0x13,0x01 - TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD

Since most of us use nginx with the reverse proxy setup, here are the relevant settings:

# nginx.conf
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'EECDH+AES256+AESGCM:EECDH+AES256+SHA384';
ssl_ecdh_curve secp521r1:secp384r1;
ssl_prefer_server_ciphers on;

Unfortunately the TLSv1.3 cipher suites cannot be configured in nginx right now, only the 1.2 ones.
So the config above will enable next to the specified TLS 1.2 ciphers all available TLS 1.3 ciphers.

untested, feedback is welcome:

# ssl.conf
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

# GO, without a webserver, standalone with TLS support:
TLS 1.3 support is expected for upcoming go 1.12, I will investigate more and update the source code.
Note: reverse proxy setup is more preferred where you have an apache or nginx in the frontline.
I think nobody uses the go solution standalone ?

In case of questions don't hesitate to ask here, on individual settings you can also sent me an email of course.

Thanks very much,