TLS 1.2 cipher preference in Rebex HTTPS

+1 vote
asked Nov 13 by mobile653 (650 points)
edited Nov 13 by mobile653

In TLS 1.2, there is a server-preferred order for the different ciphers, for example:

  1. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
  2. TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
  3. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

Source: SSL Labs report for doc-0s-c8-docs.googleusercontent.com

We have three questions here:

  1. Does the client (running the Rebex HTTPS or Rebex HTTPS Legacy library) have to follow the server-preferred order, at least for all ciphers supported?

  2. Is there any client-side cipher preference or client-preferred order in the Rebex HTTPS or Rebex HTTPS Legacy library?

  3. Can we control this behaviour in the Rebex HTTPS or Rebex HTTPS Legacy library?

1 Answer

0 votes
answered Nov 13 by Lukas Pokorny (116,670 points)
selected Nov 19 by mobile653
 
Best answer

In all versions of TLS protocol, the TLS client provides a list of ciphers it supports (in its preferred order), and the TLS server is free to choose any one of them. The TLS client has no choice but to use to cipher selected by the server. See the relevant sections of RFC 5246.

So to answer your questions:

1) The client is supposed to accept whatever cipher is selected by the server. It does not receive a list of server-side ciphers at all.

2) No. However, to most servers, client's preferred order is irrelevant, so we have not included this option in our API.

3) Since it's the TLS server that gets to choose the cipher, and client-side order of supported ciphers is only advisory, TLS clients only really control whether they announce support for a particular cipher or not.

If the TLS client needs the server to accept the cipher the client prefers, it would have to attempt multiple negotiations, each with a list that only contains a single cipher. If it gets rejected by the server, it would try the next one on order.


(By the way, as an interesting side note - the cipher selection process is very different in SSH, where both sides do transmit a list of ciphers in preferred order, and the one supported by both and preferred by the client is selected.)

...