Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc^! / .
commit54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc[log] [tgz]
authorEd Tanous <ed.tanous@intel.com>Tue Jan 15 14:28:08 2019 -0800
committerEd Tanous <ed@tanous.net>Tue Jan 22 20:20:49 2019 -0800
tree52434fe53be62969278ab5aaed901162348b3548
parent671a717d738ac1a94f0f34cc3bf13d2618474d9e [diff]
bmcweb: update SSL cipher suites to OWASP compatB

Previously, bmcweb was utilitizing the "mozilla compatibility" cipher
suites.  This is overly lenient on broken ciphers and can cause some
issues with security reviews.  In researching this, it looks like we
never actually documented that we follow Mozilla ciphers, aside from the
statement "The OpenBMC webserver shall follow the latest OWASP recommendations for
  authentication, session management, and security."  Considering that
we're moving _to_ OWASP recommendations, this commit is simply making us
follow the advice we already document, although this commit also updates
the documentation to be more clear.

Tested By:
Loaded on a BMC, opened web page in browser, and observed phosphor-webui
loaded correctly.

Change-Id: I912b35d378ce955c1472b2d54f1a365f6efea160
Signed-off-by: Ed Tanous <ed.tanous@intel.com>

diff --git a/DEVELOPING.md b/DEVELOPING.md
index 6a920bc..f06ae81 100644
--- a/DEVELOPING.md
+++ b/DEVELOPING.md

@@ -92,6 +92,10 @@
    authentication, session management, and security.
 
 9. ### Performance
+   TLS uses cipher suites from the "OWASP Cipher String 'B'" to maintain as
+   much compatibility as we can with modern browsers, while still keeping a
+   strong security posture.
+
    The performance priorities for the OpenBMC webserver are (in order):
     1. Code is readable and clear
     2. Code follows secure guidelines

diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 32d7a73..fc088ad 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp

@@ -352,8 +352,23 @@
 
     std::string aesOnlyCiphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL";
 
+    // OWASP Cipher String 'B' (Broad compatibility to browsers)
+    // https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
+    std::string owaspBroadCompatibility = "DHE-RSA-AES256-GCM-SHA384:"
+                                          "DHE-RSA-AES128-GCM-SHA256:"
+                                          "ECDHE-RSA-AES256-GCM-SHA384:"
+                                          "ECDHE-RSA-AES128-GCM-SHA256:"
+                                          "DHE-RSA-AES256-SHA256:"
+                                          "DHE-RSA-AES128-SHA256:"
+                                          "ECDHE-RSA-AES256-SHA384:"
+                                          "ECDHE-RSA-AES128-SHA256:"
+                                          "ECDHE-RSA-AES256-SHA:"
+                                          "ECDHE-RSA-AES128-SHA:"
+                                          "DHE-RSA-AES256-SHA:"
+                                          "DHE-RSA-AES128-SHA";
+
     if (SSL_CTX_set_cipher_list(mSslContext.native_handle(),
-                                mozillaCompatibilityCiphers.c_str()) != 1)
+                                owaspBroadCompatibility.c_str()) != 1)
     {
         BMCWEB_LOG_ERROR << "Error setting cipher list\n";
     }