DHE-RSA-CHACHA20-POLY1305 should NOT be used anymore

[melroy89]

The cipher DHE-RSA-CHACHA20-POLY1305 is deemed unsafe and weak today. And can be used for a https://dheatattack.com/.

Please consider remove this option from the SSL Configuration Generator.

More info: https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256/

[tomato42]

duplicate of #162

[melroy89]

duplicate of #162

ah Yes I think so.. well let's fix it? Can we just remove it from the files: https://github.com/search?q=repo%3Amozilla%2Fssl-config-generator%20DHE-RSA-CHACHA20-POLY1305&type=code ?

[gstrauss]

Closing as duplicate of #162

FYI: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 is one of the ciphers recommended by RFC 7905 (published June 2016), and was added to the ssl-config-generator Intermediate configuration in 2023 after discussion in mozilla/server-side-tls#285

I personally agree that DHE ciphers (non-ECDHE) should no longer be recommended for Modern and Intermediate and am also pushing for this change.

[janbrasna]

@melroy89 Please follow mozilla/server-side-tls#268 for any future changes relevant to non–EC DHE in intermediate, that has to happen upstream first. (FYI there's no FFDHE in modern though, @gstrauss…)

Another question is whether if/when they are phased out of intermediate, should they stay in old for compatibility reasons (and the key size requirement bumped perhaps?), or given how easy is to misconfigure their use a discussion to remove them also from old (with a new oldestClient profile defined?) should kick off?

[janbrasna]

They are placed on the "weak lists" mainly due to CVEs in some implementations (old F5, old OpenSSL <1.0.2) and reuse of ephemeral keys. If you use recent (patched, secure) software versions and also configure the MODP groups reasonably (as the configs here instruct you to), you're pretty safe between WeakDH (not large enough) and DHEater (unnecessarily large allowed).

If you don't use RSA certs these suites won't even be used at all, as their only reason to be included was before the widespread ECDSA use for compatibility reasons.

Most probing tools should be happy with OpenSSL's equivalent of SECLEVEL:2 for ≥2048b keys and only trigger "weak" flags or grade capping with smaller size, which you really should not use unless you know why. So it's not wholesale weak, but it can be indeed configured to be weak, absolutely. The configs here help you avoid that, and follow the size set in the guidelines, and use RFC 7919 groups.

That said, if you do spot gaps in the configs that allow DH exchanges with weak params (that are not already tracked as known issues), feel free to open a new bug for such config.