NIST Compliance

darren.grant · December 23, 2018, 1:08am

To comply with the latest NIST guidelines TLS 1.2 should have TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 disabled. I can’t find anyway to do this on Cloudflare.

sdayman · December 24, 2018, 1:13am

As much as I’d love to disable a bunch of weaker cyphers, it’s not possible on any of the plans I’m on.

However…I do have a Biz plan where I’ve uploaded my Let’s Encrypt certificate and it’s not using the TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 cypher. I don’t know if it’s because it’s a Biz plan, or if it’s because of the Let’s Encrypt certificate.

Judge · December 24, 2018, 4:02am

@sdayman assuming the certificate is *RSA

an *ECDSA* cipher wouldn’t show up, so it’s probably due to the Certificate.

darren.grant · December 24, 2018, 9:00am

Yes it seems that Cloudflare are issuing ECDSA certificates on their free plan, does anyone know if it is possible to have RSA certificate instead without having to jump all the way to a business plan?

sdayman · December 24, 2018, 1:18pm

Here’s what’s installed on the Pro Plan:
30%20AM

I’m not sure what you get if you buy a Dedicated Certificate.

darren.grant · December 24, 2018, 1:44pm

Unfortunately It is all 3 types and one is selected automatically to suit the client otherwise the Pro package might have been an option as the cost is not too unreasonable. Unfortunately a test for NIST would still fail due to the availability of ECDSA.

It seems that ECDSA was not widely available when the NIST guidelines were written. It seems that it should be OK from a technical stand point of view. The problem seems to be that as the guidelines do not make a recommendation for ECDSA it means that using Cloudflare does not allow us to claim NIST compliance.

sdayman · December 24, 2018, 2:43pm

That’s what I suspected, which is the same issue I have with the weaker cyphers. Server may select, but it’s still there.

OliverGrant · December 24, 2018, 6:22pm

@darren.grant,

As @sdayman indicated today you’d need to upload your own certificate with the cyphers you want to use or if you are an enterprise customers you can provide Cloudflare a whitelisted set of cyphers to be used through your account team.

-OG

mnordhoff · December 24, 2018, 7:12pm

What are the “NIST compliance” rules and why do you want to turn off good cryptography?

Judge · December 24, 2018, 9:39pm

I believe this one:

See page 26 for recommended cipher suites. From my ssllabs.com test with a universal SSL certificate (ECDSA, RSA, and DSA) it does show some CHACHA cipher suites that aren’t listed (or even mentioned) in the NIST draft.

Note that this is a draft, so comments are open — both ssllabs.com (Qualys, Inc) and Carnegie Mellon University (page 12) support that CHACHA20 is a secure cipher, just not an approved cipher. Since this is a draft, the guidelines are not finalized, and CHACHA20 might make it into the final revision.

system · January 22, 2019, 1:08am

This topic was automatically closed after 30 days. New replies are no longer allowed.

Topic		Replies	Views
Weak cipher suites Security dash-ssl-tls	8	13656	March 23, 2019
How can we disable weak ciphers Security	7	15264	September 30, 2021
Using cloudflare whilst already having LetsEncrypt Security dash-ssl-tls , dash-errors , dash-troubleshooting	13	2643	April 29, 2019
Unwanted ciphers pushed by Cloudflare API	1	3002	October 29, 2020
Weak encrypt Security	3	2480	July 15, 2021

NIST Compliance

Related topics