Cipher Selection
By default, Taskserver 1.0.0 uses the GnuTLS cipher set:
PERFORMANCE:%SERVER_PRECEDENCE
Taskserver 1.1.0 and later uses this GnuTLS cipher set:
NORMAL
Taskwarrior uses:
NORMAL
You may wish to override these ciphers with a set that satisfies your security needs. A vigilant Taskserver administrator may wish to respond to news of various cipher weaknesses. For example, a more secure set would be to use only TLS 1.2 and these ciphers:
ECDHE-ECDSA-AES256-GCM-SHA384
If AES is later compromised, perhaps use:
DHE-RSA-CAMELLIA256-SHA
Should elliptical curves later be compromised, perhaps use:
DHE-RSA-AES256-SHA
You should be aware that this is a dynamic and volatile subject, and for the best security you need to be aware of vulnerabilities.
Installed Ciphers
Use this command to see a list of installed ciphers, and run it on both the client and server machine to confirm that there is overlapping support between client and server.
$ gnutls-cli --list
Cipher suites:
TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0
TLS_RSA_NULL_SHA1 0x00, 0x02 SSL3.0
TLS_RSA_NULL_SHA256 0x00, 0x3b TLS1.0
TLS_RSA_ARCFOUR_128_SHA1 0x00, 0x05 SSL3.0
TLS_RSA_ARCFOUR_128_MD5 0x00, 0x04 SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0
TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0
TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA256 0x00, 0xba TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA256 0x00, 0xc0 TLS1.0
TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 SSL3.0
TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 SSL3.0
TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.0
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.0
TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
TLS_RSA_CAMELLIA_128_GCM_SHA256 0xc0, 0x7a TLS1.2
TLS_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x7b TLS1.2
TLS_RSA_SALSA20_256_SHA1 0xe4, 0x11 SSL3.0
TLS_RSA_SALSA20_256_UMAC96 0xe4, 0x31 SSL3.0
TLS_RSA_ESTREAM_SALSA20_256_SHA1 0xe4, 0x10 SSL3.0
TLS_RSA_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x30 SSL3.0
TLS_DHE_DSS_ARCFOUR_128_SHA1 0x00, 0x66 SSL3.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256 0x00, 0xbd TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256 0x00, 0xc3 TLS1.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 SSL3.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.0
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.0
TLS_DHE_DSS_AES_128_GCM_SHA256 0x00, 0xa2 TLS1.2
TLS_DHE_DSS_AES_256_GCM_SHA384 0x00, 0xa3 TLS1.2
TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256 0xc0, 0x80 TLS1.2
TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384 0xc0, 0x81 TLS1.2
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 0x00, 0xbe TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 0x00, 0xc4 TLS1.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 SSL3.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.0
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.0
TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 0xc0, 0x7c TLS1.2
TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x7d TLS1.2
TLS_ECDHE_RSA_NULL_SHA1 0xc0, 0x10 SSL3.0
TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x12 SSL3.0
TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 SSL3.0
TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 SSL3.0
TLS_ECDHE_RSA_AES_256_CBC_SHA384 0xc0, 0x28 TLS1.0
TLS_ECDHE_RSA_ARCFOUR_128_SHA1 0xc0, 0x11 SSL3.0
TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 0xc0, 0x76 TLS1.0
TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 0xc0, 0x77 TLS1.0
TLS_ECDHE_ECDSA_NULL_SHA1 0xc0, 0x06 SSL3.0
TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 0xc0, 0x08 SSL3.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 SSL3.0
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a SSL3.0
TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1 0xc0, 0x07 SSL3.0
TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 0xc0, 0x72 TLS1.0
TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 0xc0, 0x73 TLS1.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 0xc0, 0x23 TLS1.0
TLS_ECDHE_RSA_AES_128_CBC_SHA256 0xc0, 0x27 TLS1.0
TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 0xc0, 0x86 TLS1.2
TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x87 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.0
TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 0xc0, 0x8a TLS1.2
TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x8b TLS1.2
TLS_ECDHE_RSA_SALSA20_256_SHA1 0xe4, 0x13 SSL3.0
TLS_ECDHE_RSA_SALSA20_256_UMAC96 0xe4, 0x33 SSL3.0
TLS_ECDHE_ECDSA_SALSA20_256_SHA1 0xe4, 0x15 SSL3.0
TLS_ECDHE_ECDSA_SALSA20_256_UMAC96 0xe4, 0x35 SSL3.0
TLS_ECDHE_RSA_ESTREAM_SALSA20_256_SHA1 0xe4, 0x12 SSL3.0
TLS_ECDHE_RSA_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x32 SSL3.0
TLS_ECDHE_ECDSA_ESTREAM_SALSA20_256_SHA1 0xe4, 0x14 SSL3.0
TLS_ECDHE_ECDSA_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x34 SSL3.0
TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1 0xc0, 0x34 SSL3.0
TLS_ECDHE_PSK_AES_128_CBC_SHA1 0xc0, 0x35 SSL3.0
TLS_ECDHE_PSK_AES_256_CBC_SHA1 0xc0, 0x36 SSL3.0
TLS_ECDHE_PSK_AES_128_CBC_SHA256 0xc0, 0x37 TLS1.0
TLS_ECDHE_PSK_AES_256_CBC_SHA384 0xc0, 0x38 TLS1.0
TLS_ECDHE_PSK_ARCFOUR_128_SHA1 0xc0, 0x33 SSL3.0
TLS_ECDHE_PSK_NULL_SHA256 0xc0, 0x3a TLS1.0
TLS_ECDHE_PSK_NULL_SHA384 0xc0, 0x3b TLS1.0
TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256 0xc0, 0x9a TLS1.0
TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384 0xc0, 0x9b TLS1.0
TLS_ECDHE_PSK_SALSA20_256_SHA1 0xe4, 0x19 SSL3.0
TLS_ECDHE_PSK_SALSA20_256_UMAC96 0xe4, 0x39 SSL3.0
TLS_ECDHE_PSK_ESTREAM_SALSA20_256_SHA1 0xe4, 0x18 SSL3.0
TLS_ECDHE_PSK_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x38 SSL3.0
TLS_PSK_ARCFOUR_128_SHA1 0x00, 0x8a SSL3.0
TLS_PSK_3DES_EDE_CBC_SHA1 0x00, 0x8b SSL3.0
TLS_PSK_AES_128_CBC_SHA1 0x00, 0x8c SSL3.0
TLS_PSK_AES_256_CBC_SHA1 0x00, 0x8d SSL3.0
TLS_PSK_AES_128_CBC_SHA256 0x00, 0xae TLS1.0
TLS_PSK_AES_256_GCM_SHA384 0x00, 0xa9 TLS1.2
TLS_PSK_CAMELLIA_128_GCM_SHA256 0xc0, 0x8e TLS1.2
TLS_PSK_CAMELLIA_256_GCM_SHA384 0xc0, 0x8f TLS1.2
TLS_PSK_AES_128_GCM_SHA256 0x00, 0xa8 TLS1.2
TLS_PSK_NULL_SHA256 0x00, 0xb0 TLS1.0
TLS_PSK_CAMELLIA_128_CBC_SHA256 0xc0, 0x94 TLS1.0
TLS_PSK_CAMELLIA_256_CBC_SHA384 0xc0, 0x95 TLS1.0
TLS_PSK_SALSA20_256_SHA1 0xe4, 0x17 SSL3.0
TLS_PSK_SALSA20_256_UMAC96 0xe4, 0x37 SSL3.0
TLS_PSK_ESTREAM_SALSA20_256_SHA1 0xe4, 0x16 SSL3.0
TLS_PSK_ESTREAM_SALSA20_256_UMAC96 0xe4, 0x36 SSL3.0
TLS_PSK_AES_256_CBC_SHA384 0x00, 0xaf TLS1.0
TLS_PSK_NULL_SHA384 0x00, 0xb1 TLS1.0
TLS_RSA_PSK_ARCFOUR_128_SHA1 0x00, 0x92 SSL3.0
TLS_RSA_PSK_3DES_EDE_CBC_SHA1 0x00, 0x93 SSL3.0
TLS_RSA_PSK_AES_128_CBC_SHA1 0x00, 0x94 SSL3.0
TLS_RSA_PSK_AES_256_CBC_SHA1 0x00, 0x95 SSL3.0
TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256 0xc0, 0x92 TLS1.2
TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384 0xc0, 0x93 TLS1.2
TLS_RSA_PSK_AES_128_GCM_SHA256 0x00, 0xac TLS1.2
TLS_RSA_PSK_AES_128_CBC_SHA256 0x00, 0xb6 TLS1.0
TLS_RSA_PSK_NULL_SHA256 0x00, 0xb8 TLS1.0
TLS_RSA_PSK_AES_256_GCM_SHA384 0x00, 0xad TLS1.2
TLS_RSA_PSK_AES_256_CBC_SHA384 0x00, 0xb7 TLS1.0
TLS_RSA_PSK_NULL_SHA384 0x00, 0xb9 TLS1.0
TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256 0xc0, 0x98 TLS1.0
TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384 0xc0, 0x99 TLS1.0
TLS_DHE_PSK_ARCFOUR_128_SHA1 0x00, 0x8e SSL3.0
TLS_DHE_PSK_3DES_EDE_CBC_SHA1 0x00, 0x8f SSL3.0
TLS_DHE_PSK_AES_128_CBC_SHA1 0x00, 0x90 SSL3.0
TLS_DHE_PSK_AES_256_CBC_SHA1 0x00, 0x91 SSL3.0
TLS_DHE_PSK_AES_128_CBC_SHA256 0x00, 0xb2 TLS1.0
TLS_DHE_PSK_AES_128_GCM_SHA256 0x00, 0xaa TLS1.2
TLS_DHE_PSK_NULL_SHA256 0x00, 0xb4 TLS1.0
TLS_DHE_PSK_NULL_SHA384 0x00, 0xb5 TLS1.0
TLS_DHE_PSK_AES_256_CBC_SHA384 0x00, 0xb3 TLS1.0
TLS_DHE_PSK_AES_256_GCM_SHA384 0x00, 0xab TLS1.2
TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256 0xc0, 0x96 TLS1.0
TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384 0xc0, 0x97 TLS1.0
TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256 0xc0, 0x90 TLS1.2
TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384 0xc0, 0x91 TLS1.2
TLS_DH_ANON_ARCFOUR_128_MD5 0x00, 0x18 SSL3.0
TLS_DH_ANON_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0
TLS_DH_ANON_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0
TLS_DH_ANON_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0
TLS_DH_ANON_CAMELLIA_128_CBC_SHA256 0x00, 0xbf TLS1.0
TLS_DH_ANON_CAMELLIA_256_CBC_SHA256 0x00, 0xc5 TLS1.0
TLS_DH_ANON_CAMELLIA_128_CBC_SHA1 0x00, 0x46 SSL3.0
TLS_DH_ANON_CAMELLIA_256_CBC_SHA1 0x00, 0x89 SSL3.0
TLS_DH_ANON_AES_128_CBC_SHA256 0x00, 0x6c TLS1.0
TLS_DH_ANON_AES_256_CBC_SHA256 0x00, 0x6d TLS1.0
TLS_DH_ANON_AES_128_GCM_SHA256 0x00, 0xa6 TLS1.2
TLS_DH_ANON_AES_256_GCM_SHA384 0x00, 0xa7 TLS1.2
TLS_DH_ANON_CAMELLIA_128_GCM_SHA256 0xc0, 0x84 TLS1.2
TLS_DH_ANON_CAMELLIA_256_GCM_SHA384 0xc0, 0x85 TLS1.2
TLS_ECDH_ANON_NULL_SHA1 0xc0, 0x15 SSL3.0
TLS_ECDH_ANON_3DES_EDE_CBC_SHA1 0xc0, 0x17 SSL3.0
TLS_ECDH_ANON_AES_128_CBC_SHA1 0xc0, 0x18 SSL3.0
TLS_ECDH_ANON_AES_256_CBC_SHA1 0xc0, 0x19 SSL3.0
TLS_ECDH_ANON_ARCFOUR_128_SHA1 0xc0, 0x16 SSL3.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a SSL3.0
TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d SSL3.0
TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 SSL3.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c SSL3.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b SSL3.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f SSL3.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e SSL3.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 SSL3.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 SSL3.0
Certificate types: CTYPE-X.509, CTYPE-OPENPGP
Protocols: VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2, VERS-DTLS0.9, VERS-DTLS1.0, VERS-DTLS1.2
Ciphers: AES-256-CBC, AES-192-CBC, AES-128-CBC, AES-128-GCM, AES-256-GCM, ARCFOUR-128, ESTREAM-SALSA20-256, SALSA20-256, CAMELLIA-256-CBC, CAMELLIA-192-CBC, CAMELLIA-128-CBC, CAMELLIA-128-GCM, CAMELLIA-256-GCM, 3DES-CBC, DES-CBC, ARCFOUR-40, RC2-40
MACs: SHA1, MD5, SHA256, SHA384, SHA512, SHA224, UMAC-96, UMAC-128, AEAD
Digests: SHA1, MD5, SHA256, SHA384, SHA512, SHA224
Key exchange algorithms: ANON-DH, ANON-ECDH, RSA, DHE-RSA, DHE-DSS, ECDHE-RSA, ECDHE-ECDSA, SRP-DSS, SRP-RSA, SRP, PSK, RSA-PSK, DHE-PSK, ECDHE-PSK
Compression: COMP-DEFLATE, COMP-NULL
Elliptic curves: CURVE-SECP192R1, CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1
Public Key Systems: RSA, DSA, EC
PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD5, SIGN-RSA-MD2, SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384, SIGN-ECDSA-SHA512
This is example output, and it changes with GnuTLS releases. Choose well.
Configuration
Taskserver supports the ciphers configuration setting and Taskwarrior supports taskd.ciphers as a means to override the default set.