Add AES-CCM ciphers to all settings
rhymeswithmogul opened this issue · 3 comments
The AES-CCM ciphers and ciphersuites are missing from the Mozilla Server Side TLS document and the SSL Configurator. This cipher mode was ratified by the IETF in 2012 in RFC 6655, and are included in recent versions of OpenSSL. According to Wikipedia, they may provide better performance on embedded and low-power devices, and the cipher mode is also used in WPA2 CCMP and Bluetooth Low Energy. Despite poor support by web browsers, they are considered safe, and I feel that they should be added to the list of acceptable ciphers.
TLS 1.3 offers these ciphersuites (available in OpenSSL 1.1.1, but disabled by default):
TLS_AES_128_CCM_SHA256TLS_AES_128_CCM_8_SHA256
TLS 1.2 offers these ciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_CCMTLS_ECDHE_ECDSA_WITH_AES_128_CCM_8TLS_ECDHE_ECDSA_WITH_AES_256_CCMTLS_ECDHE_ECDSA_WITH_AES_256_CCM_8TLS_DHE_RSA_WITH_AES_128_CCM_8TLS_DHE_RSA_WITH_AES_256_CCM_8TLS_DHE_RSA_WITH_AES_128_CCMTLS_DHE_RSA_WITH_AES_256_CCM
CCM_8 has weak integrity guarantees so we shouldn't enable them by default, those are useful only for specific environments
adding CCM with the full 16 byte tag it probably a good idea
Related comments from @april about TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256 ciphers:
mozilla/ssl-config-generator#124 (comment)
It's not generally enabled by default for most systems, and there is not much reason to enable it by default. People whose clients are embedded systems with low-power ICs that lack crypto acceleration will know to enable it on both ends. This is a small enough group of people to not manually discuss it in a document for general purpose servers.
mozilla/ssl-config-generator#124 (comment)
We also don't list CCM because we don't want people going out of their way to enable them when they're rarely needed. It's often not easy to do so, and by listing them it makes it seem mandatory.
So, recommending to enable TLS_AES_128_CCM_SHA256 by default in the Mozilla Server Side TLS document and the SSL Configurator is not a good idea.
It may be useful to add a note into Rationale section in https://wiki.mozilla.org/Security/Server_Side_TLS explaining why these ciphers are not included in the guidelines, and some of the explanations above about when an admin might consider adding them.