[Triumf-linux-managers] FYI - BEAST attack mitigation in SSL
Andrew Daviel
advax at triumf.ca
Thu Oct 13 16:31:14 PDT 2011
FYI
Per e.g. http://www.ekoparty.org/2011/juliano-rizzo.php, there is a
vulnerability in block-chained ciphers in SSL.
Per http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php
one can modify the Apache mod_ssl configuration (usually in
/etc/httpd/conf.d/ssl.conf, or per-virtual-host) to mitigate this.
Suggested entries are:
SSLHonorCipherOrder on
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL
SSLProtocol all -SSLv2
Note that SSLHonorCipherOrder is not supported in Apache http prior to
version 2.2 (so comment it out)
Older servers may support SSLv2 and export-grade ciphers. These are not
required since 2000 when the US relaxed export regulations on commodity
crypto software (except to "terrorist countries" like Cuba and Iran who I
don't imagine have much trouble getting a recent Firefox).
FYI, there is an online tester at Qualys at https://www.ssllabs.com/ssldb/index.html
which will check server issues. I also have a Perl script which will
check the server preferred order. The standard tool "sslscan" (from yum)
will enumerate all supported ciphers and protocols and give details of
the server certificate.
- I don't think this is a significant vulnerability for us. It's more a
question of "optics" in view of the Qualys scanner that can be used by
anyone to test other people's servers, and it's a quick fix to patch
server configs.
- FYI, presentation at BlackHat conference on internet-wide SSL support:
http://blog.ivanristic.com/2010/07/internet-ssl-survey-2010-is-here.html
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list