-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
The default settings for mod_ssl (for use in httpd) is:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
This isn't a great default (for many reasons). I'd like to propose we provide the default ciphers suites as defined by Mozilla[0] in the configuration file with the Intermediate compatibility cipher suite uncommented: <quote> #This is the modern cipher suite that provides a higher level of security and is compatible with the latest browsers. #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
#This is the intermediate cipher suite that provides good security and compatibility with many browsers. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#This is the old, backward compatibility cipher suite that works with clients back to Windows XP/IE6. This should only be used as a last resort. #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA </quote>
By providing these recommended ciphers in the config file we provide the admin with a very good starting point with an easy way to move between configurations or change to something completely different.
[0] https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Fedora Project
sparks@fedoraproject.org - sparks@redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------
----- Original Message -----
The default settings for mod_ssl (for use in httpd) is:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
This isn't a great default (for many reasons). I'd like to propose we provide the default ciphers suites as defined by Mozilla[0] in the configuration file with the Intermediate compatibility cipher suite uncommented:
<quote> #This is the modern cipher suite that provides a higher level of security and is compatible with the latest browsers. #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
<snip more endless unmaintainable strings>
I think we should try very hard to never end up with such a string inside a modified, admin-maintained, config file; we won’t be able to reasonably update it if the trade-offs and recommendations change.
In particular, per https://fedoraproject.org/wiki/Changes/CryptoPolicy and https://bugzilla.redhat.com/show_bug.cgi?id=1109119 we should already be using a sane default (though perhaps not precisely the one you are recommending).
Can what you want to do be done using the CryptoPolicy mechanism? (And should it be the default?) Mirek
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Thu, Dec 04, 2014 at 11:31:04AM -0500, Miloslav Trmač wrote:
----- Original Message -----
The default settings for mod_ssl (for use in httpd) is:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
This isn't a great default (for many reasons). I'd like to propose we provide the default ciphers suites as defined by Mozilla[0] in the configuration file with the Intermediate compatibility cipher suite uncommented:
<quote> #This is the modern cipher suite that provides a higher level of security and is compatible with the latest browsers. #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
<removing unhelpful and unuseful input>
Can what you want to do be done using the CryptoPolicy mechanism? (And should it be the default?)
Yes, and thank you for reminding me of this new, upcoming feature.
There will always be a default and that default should be something sane that both provides protection and compatibility. The current default leaves something to be desired with respect to security. Using the recommendations provided by Mozilla you get both in a balanced way. I could see the three recommended cipher suites lists being used as a low, default, and high security ratings within the CryptoPolicy.
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security
sparks@redhat.com - sparks@fedoraproject.org 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------
On Thu, Dec 4, 2014 at 11:53 AM, Eric H. Christensen sparks@fedoraproject.org wrote:
There will always be a default and that default should be something sane that both provides protection and compatibility. The current default leaves something to be desired with respect to security. Using the recommendations provided by Mozilla you get both in a balanced way. I could see the three recommended cipher suites lists being used as a low, default, and high security ratings within the CryptoPolicy.
I'm not a fan of specifying individual cipher suites.
OpenSSL accepts a wide variety of formats in regards to setting the cipher preference. Specifying individual components such as the digest or algorithm is cleaner in my opinion.
The following is from Qualys, "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4".
This provides a close equivalent to the Mozilla "modern" recommendation. Adjustments to this preference for older browsers would require adjustments permitting the use of weak algorithms (RC4 and 3DES) and older message digests (SHA-1).
Brandon Vincent
On Thursday 04 December 2014 14:07:52 Brandon Vincent wrote:
On Thu, Dec 4, 2014 at 11:53 AM, Eric H. Christensen
sparks@fedoraproject.org wrote:
There will always be a default and that default should be something sane that both provides protection and compatibility. The current default leaves something to be desired with respect to security. Using the recommendations provided by Mozilla you get both in a balanced way. I could see the three recommended cipher suites lists being used as a low, default, and high security ratings within the CryptoPolicy.
I'm not a fan of specifying individual cipher suites.
OpenSSL accepts a wide variety of formats in regards to setting the cipher preference. Specifying individual components such as the digest or algorithm is cleaner in my opinion.
It just looks cleaner, but actually isn't.
We already had this kind of problem: old apache config file specified !ADH to disable the anonymous cipher suites. Now, what happens when you update openssl to support also ECDHE, which brings AECDH with it? You guessed it: apache now will happily negotiate anonymous cipher suites!
with a static list of ciphers there's no chance you'll get a surprise after updating components (because the order changed or new ciphers were added).
at the same time, you should check (and update as needed) your TLS server configs at least every time you change your certificates anyway.
On Thursday 04 December 2014 10:56:54 Eric H. Christensen wrote:
The default settings for mod_ssl (for use in httpd) is:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
This isn't a great default (for many reasons).
I'd say that making sure that SSLCipherSuite DEFAULT is secure would be better.
I've posted a suggestion to the openssl-dev list to change ordering and ciphers present in DEFAULT (as well as in HIGH, MEDIUM, LOW) - the only voices against were about removing RC4 ciphers from both DEFAULT and MEDIUM but given that we soon will have a RFC that disallows RC4 that should be a bit easier to push through (also, the RC4 use have fallen quite a bit since that time).
Unfortunately I don't have the time to work on code changes that this requires.
For now the CryptoPolicy is better.
security@lists.fedoraproject.org
-
Brandon Vincent -
Eric Christensen -
Hubert Kario -
Miloslav Trmač -
Nikos Mavrogiannopoulos