[Triumf-linux-users] [Triumf-linux-managers] SSLv3 and the POODLE vulnerability - server patching

Konstantin Olchanski olchansk at triumf.ca
Fri Mar 20 10:50:14 PDT 2015 

> >
> >>SSLProtocol all -SSLv2 -SSLv3
> >>SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> >


I sense lack of consensus on "good" values of "SSLCipherSuite".

I looked a bit into it's history:

1) the above settings are the defaults shipped by (note: this default is missing "-SSLv3" in SSLProtocol)
1) SL6.6 mod_ssl-2.2.15-39.sl6.x86_64
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

2) vanilla httpd version 2.2.15 has:
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
3) vanilla httpd version 2.2.29 (latest) has:
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
4) vanilla httpd version 2.4.12 (latest) has:
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
5) vanilla httpd trunk has:
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
    #SSLHonorCipherOrder on 

6) SL7 mod_ssl-2.4.6-31.sl7.x86_64 has:
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
    #SSLHonorCipherOrder on 


http://svn.apache.org/viewvc/httpd/httpd/tags/2.2.29/docs/conf/extra/httpd-ssl.conf.in?revision=1619850&view=markup
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?revision=1634736&view=markup

Vanilla httpd documentation has:

7) version 2.2 (shipped with SL6.6) http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
SSLCipherSuite HIGH:MEDIUM
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

8) version 2.4 (shipped with SL7) http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

SSLCipherSuite HIGH:!aNULL:!MD5
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 with SSLHonorCipherOrder on
SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL

9) trunk http://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

SSLCipherSuite HIGH:!aNULL:!MD5
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 with SSLHonorCipherOrder on
SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL

Note how httpd mod_ssl documentation does not directly address or discuss
the issues of RC4 weaknesses, forward secrecy and browser compatibility.

Also note how documentation is not 100% consistent with the example ssl.conf files.

I guess for those running SL6 there are 3 choices:

a) stay with SL6 defaults, see (1)
b) switch to vanilla httpd latest defaults, see (2-6)
c) switch to ssl_howto settings, see (8-9)


K.O.


Kept for reference -

> >So SSLProtocol looks okey, but SSLCipherSuite I believe needs to be changed,
> >what should it say per latest recommendations?
> 
> Per http://www.g-loaded.eu/2011/09/27/mod_gnutls-rc4-cipher-beast/
> I have been using
>   SSLHonorCipherOrder on
>   SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL
> but that's 3 years old now.
> Chrome is saying that is "obsolete cryptography" on SL5, even with
> MD5 removed. (though the ordering would force SHA to be used if
> supported by the browser)
> See http://www.chromium.org/Home/chromium-security/education/tls
> 
> - some investigation reveals that dropping SSLHonorCipherOrder in
> that recipe allows Chrome, somehow, to select a more secure cipher.
> If I try
>   SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!MD5:!SHA1:ALL
> on CentOS6
> that works on Chrome and says "modern crypto", but Firefox on SL5
> can't find a common cipher.
> 
> 
> A more recent page
> http://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
> suggests
>   SSLHonorCipherOrder on
>   SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
> 
> that seems to work on CentOS 6 both for Firefox on SL5 and Chrome
> (with "modern crypto").
> 
> Not all those ciphers are supported by openssl on SL5, although the
> server will still run as long as at least one cipher is found.
> Supported ciphers may be found with "openssl ciphers -v"
> 
> The following subset may give the same functionality on SL5:
> SSLCipherSuite DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
> 
> 
> There is a nice server testing tool at:
> https://www.ssllabs.com/ssltest/analyze.html
> 
> 
> (sslscan is available from EPEL via yum)
> 
> 
> On the browser side, it appears that the later Firefox requires
> TLSv1 by default, which breaks a few sites (including the BCnet
> conference registration one). I had that set already based on some
> previous reading.
> See
> http://www.ryananddebi.com/2014/12/10/bypassing-the-ssl_error_no_cypher_overlap-error-in-firefox-34/
> 
> 
> 
> see also:
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
>  - Apache documentation
> https://cabforum.org/baseline-requirements-documents/
>  - requirements for CAs and certificates, e.g. not issuing
> SHA1-based certs too far into the future
> 
> -- 
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> Network Security Manager

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

More information about the Triumf-linux-users mailing list