docs: add more warnings about security policy defaults #4507
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -89,6 +89,15 @@ unsafe impl Send for Connection {} | |
| unsafe impl Sync for Connection {} | ||
|
|
||
| impl Connection { | ||
| /// # Warning | ||
| /// | ||
| /// The newly created connection uses the default security policy. | ||
| /// Consider changing this depending on your security and availability requirements | ||
| /// by calling [`Connection::set_security_policy`]. | ||
| /// Alternatively, you can use [`crate::config::Builder`], [`crate::config::Builder::set_security_policy`], | ||
| /// and [`Connection::set_config`] to set the policy on the Config instead of on the Connection. | ||
| /// See the s2n-tls usage guide: | ||
| /// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html> | ||
| pub fn new(mode: Mode) -> Self { | ||
| crate::init::init(); | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,10 @@ | ||
| // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| //! Security options like cipher suites, signature algorithms, versions, etc. | ||
| //! | ||
| //! See <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html> | ||
|
|
||
| use crate::error::Error; | ||
| use core::fmt; | ||
| use std::ffi::{CStr, CString}; | ||
|
|
@@ -25,6 +29,8 @@ impl Policy { | |
| } | ||
| } | ||
|
|
||
| /// See the s2n-tls usage guide for details on available policies: | ||
| /// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html> | ||
| pub fn from_version(version: &str) -> Result<Policy, Error> { | ||
| let cstr = CString::new(version).map_err(|_| Error::INVALID_INPUT)?; | ||
| let context = Context::Owned(cstr); | ||
|
|
@@ -39,16 +45,47 @@ impl fmt::Debug for Policy { | |
| } | ||
|
|
||
| macro_rules! policy { | ||
| ($version:expr) => { | ||
| Policy(Context::Static(concat!($version, "\0").as_bytes())) | ||
| }; | ||
| } | ||
|
|
||
| /// Default policy | ||
| /// | ||
| /// # Warning | ||
| /// | ||
| /// Cipher suites, curves, signature algorithms, or other security policy options | ||
| /// may be added or removed from "default" in order to keep it up to date with | ||
| /// current security best practices. | ||
| /// | ||
| /// That means that updating the library may cause the policy to change. If peers | ||
| /// are expected to be reasonably modern and support standard options, then this | ||
| /// should not be a problem. But if peers rely on a deprecated option that is removed, | ||
| /// they may be unable to connect. | ||
| /// | ||
| /// If you instead need a static, versioned policy, choose one according to the s2n-tls usage guide: | ||
| /// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html> | ||
| pub const DEFAULT: Policy = policy!("default"); | ||
|
|
||
| /// Default policy supporting TLS1.3 | ||
| /// | ||
| /// # Warning | ||
| /// | ||
| /// Cipher suites, curves, signature algorithms, or other security policy options | ||
| /// may be added or removed from "default_tls13" in order to keep it up to date with | ||
| /// current security best practices. | ||
| /// | ||
| /// That means that updating the library may cause the policy to change. If peers | ||
| /// are expected to be reasonably modern and support standard options, then this | ||
| /// should not be a problem. But if peers rely on a deprecated option that is removed, | ||
| /// they may be unable to connect. | ||
| /// | ||
| /// If you instead need a static, versioned policy, choose one according to the s2n-tls usage guide: | ||
| /// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html> | ||
| pub const DEFAULT_TLS13: Policy = policy!("default_tls13"); | ||
|
|
||
| #[cfg(feature = "pq")] | ||
| pub const TESTING_PQ: Policy = policy!("PQ-TLS-1-0-2021-05-26"); | ||
|
|
||
| pub const ALL_POLICIES: &[Policy] = &[ | ||
| DEFAULT, | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -40,24 +40,26 @@ The following chart maps the security policy version to protocol version and cip | |
| | 20200207 | | | | X | | X | X | | | | X | | | ||
| | rfc9151 | | | X | X | | X | | | | X | X | X | | ||
|
|
||
| The "default", "default_tls13", and "default_fips" versions are special in that they will be updated with future s2n-tls changes to keep up-to-date with current security best practices. Ciphersuites, protocol versions, and other options may be added or removed, or their internal order of preference might change. **Warning**: this means that the default policies may change as a result of library updates, which could break peers that rely on legacy options. | ||
|
|
||
| In contrast, numbered or dated versions are fixed and will never change. | ||
|
|
||
| "20230317" offers more limited but more secure options than the default policies. Consider it if you don't need or want to support less secure legacy options like TLS1.1 or SHA1. It is also FIPS compliant and supports TLS1.3. If you need a version of this policy that doesn't support TLS1.3, choose "20240331" instead. | ||
|
|
||
| "20160411" follows the same general preference order as "default". The main difference is it has a CBC cipher suite at the top. This is to accommodate certain Java clients that have poor GCM implementations. Users of s2n-tls who have found GCM to be hurting performance for their clients should consider this version. | ||
|
|
||
| "rfc9151" is derived from [Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3](https://datatracker.ietf.org/doc/html/rfc9151). This policy restricts the algorithms allowed for signatures on certificates in the certificate chain to RSA or ECDSA with sha384, which may require you to update your certificates. | ||
| Like the default policies, this policy may also change if the source RFC definition changes. | ||
|
|
||
| s2n-tls does not expose an API to control the order of preference for each ciphersuite or protocol version. s2n-tls follows the following order: | ||
|
|
||
| 1. Always prefer the highest protocol version supported | ||
| 2. Always use forward secrecy where possible. Prefer ECDHE over DHE. | ||
| 3. Prefer encryption ciphers in the following order: AES128, AES256, ChaCha20, 3DES, RC4. | ||
| 4. Prefer record authentication modes in the following order: GCM, Poly1305, SHA256, SHA1, MD5. | ||
|
|
||
| *NOTE*: ChaCha20-Poly1305 cipher suites will not be available if s2n-tls is built with an older libcrypto like openssl-1.0.2. The underlying encrypt/decrypt functions are not available in older versions. | ||
|
|
||
| #### ChaCha20 Boosting | ||
|
|
||
| s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly mobile or IOT devices-- do not support AES hardware acceleration, making AES less efficient and performant than ChaCha20. In this case, clients will indicate their preference for ChaCha20 by listing it first during cipher suite negotiation. Usually s2n-tls servers ignore client preferences, but s2n-tls offers "ChaCha20 boosted" security policies that will choose ChaCha20 over AES if the client indicates a preference for ChaCha20. This is available in the "CloudFront-TLS-1-2-2021-ChaCha20-Boosted" policy, which is identical to the "CloudFront-TLS-1-2-2021" policy listed above but with ChaCha20 Boosting enabled. | ||
|
|
@@ -90,7 +92,9 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly | |
| | 20200207 | | X | | X | | ||
| | rfc9151 | X | X | | X | | ||
|
|
||
| *NOTE*: Legacy SHA-1 algorithms are not supported in TLS1.3. Legacy SHA-1 algorithms will be supported only if TLS1.2 has been negotiated and the security policy allows them. | ||
|
|
||
| *NOTE*: RSA-PSS certificates will not be available if s2n-tls is built with an older libcrypto like openssl-1.0.2. RSA certificate signatures with PSS padding (RSA-PSS-RSAE) will still be available, but RSA-PSS certificate signatures with PSS padding (RSA-PSS-PSS) will not be available. | ||
|
|
||
| ### Chart: Security policy version to supported curves/groups | ||
|
|
||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this short version of the warning mention that the policy changes? Unless I already knew about the default policy/had read the other documentation, I probably wouldn't understand why this was a warning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Idk, the changing isn't the only issue. The default policy might also just not have the options they're expecting / wanting. Like, at the moment it still has 1.0 and most customers probably don't want 1.0.
I was hoping I just needed to point out policies even exist so customers might read the other documentation :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya, if we think the default is going to remain stuck at 1.0, then I wonder if it would be worth exploring the option of totally removing the default from the bindings?
But still think we should merge this PR, since the new warning is definitely better than what we have now 😄