[Triumf-linux-users] [Triumf-linux-managers] SSLv3 and the POODLE vulnerability - server patching
Konstantin Olchanski
olchansk at triumf.ca
Fri Mar 20 10:50:14 PDT 2015
> >
> >>SSLProtocol all -SSLv2 -SSLv3
> >>SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> >
I sense lack of consensus on "good" values of "SSLCipherSuite".
I looked a bit into it's history:
1) the above settings are the defaults shipped by (note: this default is missing "-SSLv3" in SSLProtocol)
1) SL6.6 mod_ssl-2.2.15-39.sl6.x86_64
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
2) vanilla httpd version 2.2.15 has:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
3) vanilla httpd version 2.2.29 (latest) has:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
4) vanilla httpd version 2.4.12 (latest) has:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
5) vanilla httpd trunk has:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
6) SL7 mod_ssl-2.4.6-31.sl7.x86_64 has:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
http://svn.apache.org/viewvc/httpd/httpd/tags/2.2.29/docs/conf/extra/httpd-ssl.conf.in?revision=1619850&view=markup
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?revision=1634736&view=markup
Vanilla httpd documentation has:
7) version 2.2 (shipped with SL6.6) http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
SSLCipherSuite HIGH:MEDIUM
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
8) version 2.4 (shipped with SL7) http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
SSLCipherSuite HIGH:!aNULL:!MD5
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 with SSLHonorCipherOrder on
SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
9) trunk http://httpd.apache.org/docs/trunk/ssl/ssl_howto.html
SSLCipherSuite HIGH:!aNULL:!MD5
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 with SSLHonorCipherOrder on
SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
Note how httpd mod_ssl documentation does not directly address or discuss
the issues of RC4 weaknesses, forward secrecy and browser compatibility.
Also note how documentation is not 100% consistent with the example ssl.conf files.
I guess for those running SL6 there are 3 choices:
a) stay with SL6 defaults, see (1)
b) switch to vanilla httpd latest defaults, see (2-6)
c) switch to ssl_howto settings, see (8-9)
K.O.
Kept for reference -
> >So SSLProtocol looks okey, but SSLCipherSuite I believe needs to be changed,
> >what should it say per latest recommendations?
>
> Per http://www.g-loaded.eu/2011/09/27/mod_gnutls-rc4-cipher-beast/
> I have been using
> SSLHonorCipherOrder on
> SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL
> but that's 3 years old now.
> Chrome is saying that is "obsolete cryptography" on SL5, even with
> MD5 removed. (though the ordering would force SHA to be used if
> supported by the browser)
> See http://www.chromium.org/Home/chromium-security/education/tls
>
> - some investigation reveals that dropping SSLHonorCipherOrder in
> that recipe allows Chrome, somehow, to select a more secure cipher.
> If I try
> SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!MD5:!SHA1:ALL
> on CentOS6
> that works on Chrome and says "modern crypto", but Firefox on SL5
> can't find a common cipher.
>
>
> A more recent page
> http://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
> suggests
> SSLHonorCipherOrder on
> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
>
> that seems to work on CentOS 6 both for Firefox on SL5 and Chrome
> (with "modern crypto").
>
> Not all those ciphers are supported by openssl on SL5, although the
> server will still run as long as at least one cipher is found.
> Supported ciphers may be found with "openssl ciphers -v"
>
> The following subset may give the same functionality on SL5:
> SSLCipherSuite DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
>
>
> There is a nice server testing tool at:
> https://www.ssllabs.com/ssltest/analyze.html
>
>
> (sslscan is available from EPEL via yum)
>
>
> On the browser side, it appears that the later Firefox requires
> TLSv1 by default, which breaks a few sites (including the BCnet
> conference registration one). I had that set already based on some
> previous reading.
> See
> http://www.ryananddebi.com/2014/12/10/bypassing-the-ssl_error_no_cypher_overlap-error-in-firefox-34/
>
>
>
> see also:
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
> - Apache documentation
> https://cabforum.org/baseline-requirements-documents/
> - requirements for CAs and certificates, e.g. not issuing
> SHA1-based certs too far into the future
>
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376 (Pacific Time)
> Network Security Manager
--
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
More information about the Triumf-linux-users
mailing list