logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Configuring Apache for Forward Secrecy

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Mon 05 Aug '13 14:39    Post subject: Configuring Apache for Forward Secrecy Reply with quote

A very instructive post from Ivan at

https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy


In the post is a recommended configuration for you, which you wish to deploy best-possible configuration supporting Forward Secrecy, and that you have a preference for GCM suites (resistant to timing attacks) and RC4 (resistant to BEAST). To achieve best performance, the faster ECDHE suites are used whenever possible.

Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Mon 05 Aug '13 18:36    Post subject: Reply with quote

I miss the
Code:

SSLCompression off


Wink
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Sun 15 Sep '13 21:46    Post subject: Reply with quote

Ivan has tweaked the suite configuration string to position SHA256 and SHA384 suites (which are TLS 1.2-only) after GCM suites and before RC4 suites.

See the above blog post from Ivan.

Steffen
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Mon 16 Sep '13 12:43    Post subject: Reply with quote

Looks like Forward Security is impossible for IE7 & 8 on XP.

It's nice to see this on the test

BEAST attack: No longer rated; considered sufficiently mitigated client-side (more info)

sufficiently means a few visitors will still be vulnerable (IE6[who cares], some Apples) so if you again allow the TLS/1.0 CBC cyphers, you will not get hit with a B rating. Qualy's themselves are still using RC4, yet (reading comments in various articles there) they may be changing that soon.

So it looks like we can finally drop RC4 which then allows 256 encryption again. Of course, not allowing SSLv3 you've lost support for IE6 all together, but who cares.

Firefox 23 has TLS/1.1 support supposedly (experimental), but I couldn't get it to connect when I set -TLS/1.0 on the server.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Mon 16 Sep '13 15:29    Post subject: Reply with quote

Thanks for the info and another thing to check.

We use one apache as reverse proxy for multiple sites (exchange, alfresco collaboration system, qlikview server).

Since folks from NSA are messing around we have strengthened our ssl/TLS protocols and found a good configuration solving most of the problems (no weak RC4, but a robust forward secrecy).

Code:
   SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
   SSLHonorCipherOrder On
   SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS


But one thing we didn't get fixed, we could not use an additional 4096 bit dh parameter, although there should be an option of using a SSLDHParametersFile.

After some searching we found that there is a missing patch.
Have a look at

https://issues.apache.org/bugzilla/show_bug.cgi?id=49559

JR

p.s. IE6/XP and IE8/XP is not working with this configuration, but who cares! This configuration gets an A grade at the SSL test lab test ( v1.6.7 ) with 95% protocol support, 80% key exchange (because of the poor 1024 Diffie-Hellman) and 100% cipher strength.


Last edited by jraute on Mon 26 Jan '15 15:37; edited 11 times in total
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Wed 18 Sep '13 18:35    Post subject: Reply with quote

With that config + SSLCompression Off the SSL test seems to be very nice + the benefit of 256 bit encryption. Since IE 8-10 / Win 7 still needs TLS 1.0 I can't disable that :-/
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Thu 19 Sep '13 9:26    Post subject: Reply with quote

At the moment it is pest or cholera.

TLS 1.0 without the weak RC4 makes a system not mitigate BEAST server-side.
TLS 1.0 with RC4 makes a system use a weak RC4, but mitigates BEAST.
Without TLS 1.0 you loose support for too many browsers which don't support TLS 1.1 or higher.

So what to do?

Hello Browser developers, look at that! Wink
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Thu 19 Sep '13 9:59    Post subject: Reply with quote

Did you read https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat ?

Steffen
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Thu 19 Sep '13 11:36    Post subject: Reply with quote

Yes, i did.

That was the reason why i wrote "...pest or cholera...".
And for us it was the reason to disable RC4 and to live with the potential risk of MITM attacks as long as TLS 1.0 has to be enabled for compatibility reasons.

Did i miss an aspect?

Jraute
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Thu 19 Sep '13 12:42    Post subject: Reply with quote

From that Link you posted Steffen (epilog)

Quote:

Although I don't believe that the problem is exploitable today, there might be other attack vectors we are not aware of.


Since for most of my sites a man in the middle attack doesn't seem to be an option. They would need my ssl key. Using 256 bit AES seems to better.

The SSL test lab test (https://www.ssllabs.com/ssltest/index.html) Gives me an A (http://img3.picload.org/image/olggaio/ssl_test.png)
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Fri 04 Oct '13 21:12    Post subject: Patch available Reply with quote

Ok, thanks to all who helped.
The patch is available!

https://people.apache.org/~kbrand/mod_ssl-2.4.x-ekh.diff

This helps to improve "dh-keys" (parameter sets) from 1024 bit up to 4096 bit or more.

And if i got it right, while flying over the blog, it will be included in 2.4.7.

JR
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1