The State of TLS on XMPP (3)
One important factor has not yet been covered in my two previous posts: clients. As barely any server uses a pre-defined cipher order, the order set by clients is at least as important as the cipher support of a server.
Full disclosure: one of the reasons I started looking into this was horribly bad SSL cipher selection by Adium 1.5.6 and earlier. Due to problems with elliptic curve suites (which were new in 10.6) and certain XMPP servers, Adium had a hard-coded list of the ciphers supported by 10.5. This included ciphers with anonymous-Diffie-Hellman, which are unauthenticated and crashed Adium. Also included were a number of ciphers with NULL encryption. This was fixed by removing the vulnerable cipher suites in Adium 1.5.7 and I intend to bring back the ECC suites in 1.5.8.
Possible issues
Bad suites
DES and EXPORT cipher suites can be cracked within seconds on modern hardware, yet my tests showed 80% of the servers still have those enabled. Of course, eNULL should never be advertised by a client at all.
RC4 is currently considered “problematic”. Biases are known to exist in the first 256 bytes, yet they require around 2^24 ciphertexts to have a reasonable chance of decryption. When using a normal XMPP SASL PLAIN authentication, with TLSv1.2 RC4-MD5 encryption, around 19 characters of your username+password are within this first 256 byte block. 2^24 sounds like much, but extra assumptions (like the fact that the data is base64 encoded) could bring this down considerably.
SSLv2
SSLv2 was deprecated and known to be broken before the first Jabber server was written, yet many servers also still support it. One of the dangers of SSLv2 is cipher rollback attacks: an attacker could modify the lists of ciphers the client indicates to support to force the server to use weaker ciphers. Combined with DES/EXPORT suites, this could allow an attacker to change the encryption to something they can easily crack. Servers and clients try to detect when SSLv3 connections are downgraded to SSLv2, but this has had bugs in the past.
Forward secrecy
Forward secrecy means a compromised private key will not help decrypting past connections, even if they were logged completely. This means that any adversary with enough legal power or technical skills to steal the private key can not look at your past messages. To support these, DHE, EDH or ECDHE (Ephemeral Diffie-Hellman and Elliptic Curve Ephemeral Diffie-Hellman) must be used as the authentication mechanism. ECDHE offers stronger encryption, yet at less computational cost than DHE or EDH.
Note that ciphers that start with ECDH- and DH- are different authentication mechanisms: these require special certificates and offer no forward-secrecy.
GCM
Due to the BEAST attack, all CBC cipher suites in TLS 1.0 are problematic, but the only alternative is RC4. The AES GCM suites, which are new in TLS 1.2 are not vulnerable to this attack and the safest solution.
Clients
The following results have been found by parsing the ClientHello message that was captured using Wireshark. Note again that this list might also depend on other factors, like the version of other libraries installed.
Windows 8
Jitsi 2.2.4603.9615
ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES128-SHA ECDH-ECDSA-AES128-SHA ECDH-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-RC4-SHA RC4-SHA ECDH-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA RC4-MD5
Favoring (EC)DHE, RC4-MD5 last, nothing weak. At first glance this list looks good. However, note that there is no 256-bit cipher in there at all. 3DES is theoretically 168-bits, but practically it comes down to 112-bits of security. The best cipher offered is 128-bit AES. So far, this has been the only client that doesn’t support 256-bit encryption that I’ve seen.
Pidgin 2.10.7
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA DSS-RC4-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA RC4-SHA RC4-MD5 AES128-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA DES-CBC-SHA EXP1024-RC4-SHA EXP1024-DES-CBC-SHA EXP-RC4-MD5 EXP-RC2-CBC-MD5
Pidgin sadly supports no ECDHE. A lot of weak DES and EXPORT ciphers are included here too.
Gajim 0.15.4
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA IDEA-CBC-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
Also no ECDHE here and an even longer list of DES/EXPORT ciphers. 3DES, while less secure, is preferred over 128-bit AES.
Windows 7
Psi 0.15
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA SEED-SHA CAMELLIA128-SHA IDEA-CBC-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
rullzer sent in this list of Psi on Windows 7. With 79 supported ciphers, it’s the longest list on this page. Psi supports ECDHE and TLS 1.2 goodies like GCM and SHA384. However, encryption strength is prioritized over forward secrecy and 3DES takes priority over AES128. A number of weak suites are also included here.
Miranda NG v0.94.4 #5216 x64, jabber.dll 0.11.0.2
AES128-SHA AES256-SHA RC4-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA EDH-DSS-DES-CBC3-SHA RC4-MD5
Roland Müller sent in this list of Miranda NG v0.94.4 #5216 x64 with jabber.dll 0.11.0.2 on Windows 7 Pro SP1 x64. We see support for ECDHE, but the forward-secrecy suites get prioritized below non-ephemeral cipher suites. Note also that 128 bit AES takes priority over 256 bits, but no weak suites here and RC4-MD5 firmly at the bottom.
OS X 10.8
Adium 1.5.7
AES128-SHA RC4-SHA RC4-MD5 AES256-SHA DES-CBC3-SHA EXP-RC4-MD5 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA EDH-RSA-DES-CBC3-SHA
I’m not proud of this list, but considering 1.5.7 was about to be released, it was the only improvement I dared to make without beta-testing. The order seems random, EXPORT suites still enabled, no ECDHE.
Jitsi 2.2.4603.9615
RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA DES-CBC3-SHA DES-CBC3-MD5 EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC-SHA DES-CBC-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA EXP-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA
Initially I expected this to be similar to Jitsi’s list on Windows, but it very much isn’t. RC4-MD5 is the first choice, ECDHE and DHE suites are prioritized behind their non-DHE counterparts. Contrary to the Windows version, 256-bit ciphers are present here, yet also DES and EXPORT suites.
Messages 7.0.1 (3322)
ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-DES-CBC3-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES256-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDH-RSA-RC4-SHA ECDH-RSA-DES-CBC3-SHA AES128-SHA RC4-SHA RC4-MD5 AES256-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA EDH-RSA-DES-CBC3-SHA
Very little to criticize about this list. A lot of ECDHE suites enabled, with forward-secrecy prioritized over encryption strength. The only surprising cipher here is AES256-SHA prioritized low among the other non-ephemeral suites.
Trillian 1.4.52
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DES-CBC3-MD5 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA SEED-SHA RC2-CBC-MD5 RC4-SHA RC4-MD5 RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA DES-CBC-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC4-MD5
No ECDHE here. Ephemeral suites do take priority over the non-ephemeral variants, but encryption strength trumps forward-secrecy. A lot of weak ciphers are included.
Psi 0.15
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DES-CBC3-MD5 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA RC2-CBC-MD5 RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA DES-CBC-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
No ECDHE here either, but priority for DHE. Also here 3DES is taken over AES128 and a number of EXPORT suites are included.
poezio 0.7.5.2
ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-SHA CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-SHA SEED-SHA CAMELLIA128-SHA IDEA-CBC-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5
I tested poezio 0.7.5.2 on OS X 10.8 with Python 3.3 and mathieui sent me a list of poezio git on Arch Linux which was identical. No weak ciphers here and support for ECDHE, which is good, but encryption strength trumps forward secrecy. Also here 3DES is prioritized above AES128, but it does place RC4 at the bottom of everything.
Debian 7.1
Pidgin 2.10.6
DHE-DSS-AES256-SHA AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA RC4-SHA RC4-MD5 AES128-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA
While 2.10.6 is not the latest version of Pidgin, I decided to stick to what was available in the Debian Wheezy package manager.
No ECDHE, but good prioritization of the DHE suites. No EXPORT suites are included, but the 2 DES suites are definitely weak.
Gajim 0.15.1
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA SEED-SHA CAMELLIA128-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
Gajim on Debian is also very different from Gajim on Windows. It offers this enormous list of 78 different ciphers it supports. While some of these (SRP, ECSA, DSS) are unlikely to work with your average CA-issued certificate, in certain situations they might be beneficial. The list starts good with a large number of ECDHE and DHE suites, but sadly 3DES also takes priority over AES128. At the end they sneak in a couple of DES and EXPORT suites too.
Empathy 3.4.2.3
DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-CAMELLIA256-SHA EDH-RSA-DES-CBC3-SHA DHE-DSS-AES128-SHA DHE-DSS-AES128-SHA256 DHE-DSS-CAMELLIA128-SHA DHE-DSS-AES256-SHA DHE-DSS-AES256-SHA256 DHE-DSS-CAMELLIA256-SHA EDH-DSS-DES-CBC3-SHA AES128-SHA AES128-SHA256 CAMELLIA128-SHA AES256-SHA AES256-SHA256 CAMELLIA256-SHA DES-CBC3-SHA RC4-SHA RC4-MD5
No ECDHE, but DHE takes priority over everything else. Just like Gajim also some Camellia here and support for a member of the SHA2 family (SHA256). Surprisingly AES128 takes priority over AES256 here. No weak suites at all.
Swift 2.0beta1-dev47
ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-SHA CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-SHA SEED-SHA CAMELLIA128-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
Another long list, but not quite as long as Gajim’s. Ordering seems to be similar: first sorted by bitsize, then by ECDHE, DHE and non-ephemeral. Also here a number of EXPORT and DES suites.
Psi 0.14
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA SEED-SHA CAMELLIA128-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
Debian definitely likes to package things with long cipher lists. Psi also offers 78 ciphers, but not the same as Gajim. It offers a number of brand new cipher suites introduced in TLS1.2: AES with GCM and SHA256 or SHA384 as MAC. Other than that, the ordering is similar to Swift and Gajim: 3DES gets priority over AES128, even when it includes new features like GCM and SHA256.
irssi-xmpp 0.52
DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-CAMELLIA256-SHA EDH-RSA-DES-CBC3-SHA DHE-DSS-AES128-SHA DHE-DSS-AES128-SHA256 DHE-DSS-CAMELLIA128-SHA DHE-DSS-AES256-SHA DHE-DSS-AES256-SHA256 DHE-DSS-CAMELLIA256-SHA EDH-DSS-DES-CBC3-SHA AES128-SHA AES128-SHA256 CAMELLIA128-SHA AES256-SHA AES256-SHA256 CAMELLIA256-SHA DES-CBC3-SHA RC4-SHA RC4-MD5
No ECDHE here, but DHE is above everything else. Surprisingly AES128 is first, followed by 3DES and only then AES256. No weak ciphers to be found here.
Debian Unstable
Kopete 4.10.5
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA SEED-SHA CAMELLIA128-SHA IDEA-CBC-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
I received two lists for Kopete, one from @timb_machine for Debian Unstable and one from Alex Xu on Gentoo. The list was the same except for IDEA-CBC-SHA, which was only on Alex’s list.
The same comments apply as with Gajim and Psi on Debian: the list starts out good with many modern features like GCM, SHA384 and ECHDE, but encryption strength is preferred over forward-secrecy and 3DES over AES128. It also includes a large number of EXPORT suites.
Ubuntu 12.04.3 LTS
Jitsi 2.2.4603.9615
RC4-MD5 RC4-MD5 RC4-SHA AES128-SHA AES256-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-AES128-SHA RC4-MD5 ECDH-ECDSA-AES256-SHA ECDH-RSA-RC4-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDHE-ECDSA-RC4-SHA IDEA-CBC-MD5 ECDHE-ECDSA-AES128-SHA DES-CBC-MD5 ECDHE-ECDSA-AES256-SHA DES-CBC3-MD5 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA DES-CBC3-SHA DES-CBC3-MD5 ECDH-ECDSA-DES-CBC3-SHA EXP-RC4-MD5 ECDH-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC-SHA DES-CBC-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA EXP-RC4-MD5 EXP-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA
Zash sent the following list in for Jitsi on Ubuntu. It is… weird. The first two ciphers aren’t exactly the same (the first is for SSLv3, the second for SSLv2), but #8 is the SSLv2 RC4-MD5 again. It must want it really badly. AES256 is not excluded here, but the sorting does prefer RC4 over AES128 and AES128 over RC4. ECDHE suites are present, but prioritized below their non-ephemeral variants.
Weak ciphers are also included here, DES-CBC-MD5 even at a dangerously high place in the list.
Gentoo
MCabber 0.10.1
DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-CAMELLIA256-SHA EDH-RSA-DES-CBC3-SHA DHE-DSS-AES128-SHA DHE-DSS-AES128-SHA256 DHE-DSS-CAMELLIA128-SHA DHE-DSS-AES256-SHA DHE-DSS-AES256-SHA256 DHE-DSS-CAMELLIA256-SHA EDH-DSS-DES-CBC3-SHA DHE-DSS-RC4-SHA AES128-SHA AES128-SHA256 CAMELLIA128-SHA AES256-SHA AES256-SHA256 CAMELLIA256-SHA DES-CBC3-SHA RC4-SHA RC4-MD5
rullzer sent in this list with the ciphers of MCabber on Gentoo with OpenSSL 1.0.1c. Interesting about this list is that TLS 1.2 support is present (some use SHA256 for the MAC), yet no support for GCM. ECDHE support is also absent, but DHE suites do get priority over non-DHE. 128 bit AES/Camellia is preferred over those with 256 bit, but at least RC4 is at the very bottom here.
Android 4.3
The following result has been obtained with the Android emulator running 4.3. The results could be different for real phones.
GibberBot 0.0.11RC5/yaxim 0.8.6b/Xabber 0.2.29a/Beem 0.1.8
RC4-MD5 RC4-SHA AES128-SHA AES256-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES256-SHA ECDH-RSA-RC4-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC-SHA EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA EXP-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA
All 4 Android clients I checked offered the same list. Of course phones might have power-concerns but still this list is pretty bad. Ephemeral suites are listed below the non-ephemeral variant, a number of DES and EXPORT suites are included, RC4-MD5 is the first choice and 128-bit ciphers take priority over the 256-bit variants.
iOS 6.1
This has been tested with the iOS simulator and might therefore not match a real iPhone/iPad.
ChatSecure (git revision 17101703401ea09b887000fdddade2854f7dbdf9)
ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-DES-CBC3-SHA ECDH-ECDSA-AES256-SHA384 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES256-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDH-RSA-RC4-SHA ECDH-RSA-DES-CBC3-SHA AES256-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 AES256-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA EDH-RSA-DES-CBC3-SHA ECDHE-ECDSA-NULL-SHA ECDHE-RSA-NULL-SHA ECDH-ECDSA-NULL-SHA ECDH-RSA-NULL-SHA NULL-SHA256 NULL-SHA NULL-MD5
This list starts out really good, with ECDHE and SHA2 MACs. AES128 and 256 variants aren’t always ordered in the same way, but usually AES256 > AES128, similar to Messages. But the list ends really bad. The last couple of ciphers aren’t just weak, those are unencrypted. Your connection is still authenticated (you can notice if someone changes a message), but any eavesdropper can listen in. I really hope this is just a mistake in the iOS simulator and these ciphers don’t actually exist on an iPhone. Anyway, not something I’d expect from a client named “Secure”.
N900
Empathy
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
Zash sent in this list for Empathy on the Nokia N900. No ECDHE here either, but priority for DHE. Also here 3DES is sorted before AES128 and a number of weak ciphers are enabled.
Conclusion
Just like servers, many clients also include support for weak ciphers. Though they are always sorted at the bottom, it would be safer to not enable them. A mis-configured server or a new rollback attack could force clients to use these, making the connection appear encrypted to the user, but the attacker might be able to listen in in almost real time. (Edit: In the list Zash sent in of Jitsi on Ubuntu this no longer holds true, DES-CBC-MD5 is not at the bottom.)
ECDHE support is still quite rare, but every client supports at least DHE. These are not always sorted favorably, so a server that wants to promote forward-secrecy should disable non-ephemeral suites, or let the server enforce its own order.
Jitsi on Windows 8 is the only client not offering 256-bit encryption, so don’t disable that to improve your score unless you know nobody uses Jitsi.
In fact, Jitsi on OS X and all Android clients putting RC4-MD5 at the top make it look even better to turn a server enforced cipher ordering on, or at least disable RC4 completely.
AES GCM support is currently limited to Gajim an Psi on Linux and Windows.
Future work
If you have information from other clients, you can let me know. These can be found in Wireshark in the “Client Hello” message, search for the “Cipher Suite” field and right click “Copy > Bytes > Hex Stream”. You can email me at me@thijsalkema.de, please include the version of the client and your OS version.
Recent posts
- The Wrong Number Attack
- Common DH groups
- Out with octopress, in with Hakyll
- Validate the encoding before passing strings to libcurl or glibc
- Multi-end to multi-end encryption
Copyright © 2024 - Thijs Alkemade
Site proudly generated by Hakyll.