How can I verify that perfect forward secrecy is in use? I have found documentation on pfs but nothing that really says how to verify it (unless I’ve overlooked it). I am running Enterprise Mongo 4.0.18 and 4.2.8 on rhel7. Also, I see that there could potentially be performance lag involved. Is anyone familiar with pfs that has seen any concerns with it? Are there any pearls of wisdom to share on pfs?
Hi @JamesT
PFS is a function of the selected cipher suites. So restricting mongod to those is enough to enforce it.
The easy button for this one is to use TLSv1.3 only as only PFS ciphers are used.
net:
tls:
disabledProtocols: TLS1_0,TLS1_1,TLS1_2
Otherwise you will have to specify the cipher list using opensslCipherConfig
The OWASP cheat cheat identifies OWASP string B using TLS1.3 and TLS1.2 and only PFS ciphers as:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
I like to use sslyze for internal/non-https TLS testing. Deferring to ssllabs and Mozilla Observatory for general web.
sslyze will only show that PFS is supported, not which ciphers do.
1 Like