logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



[Solved] Excluding Elliptic Curves

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
Jan-E



Joined: 09 Mar 2012
Posts: 785
Location: Amsterdam, NL, EU

PostPosted: Mon 04 Sep '17 10:36    Post subject: [Solved] Excluding Elliptic Curves Reply with quote

I am looking for a way to exclude a lot of elliptic curves from being exposed by Apache. Take a look at


tst.sessionportal.net has the needed ciphers to be compliant with PCI DSS, HIPAA and NIST, but is exposing too many Elliptic Curves

www.sessionportal.net has the same ciphers, but exposes only secp384r1. I did this by recompiling mod_ssl.so with only these lines, starting at line 1286 of ssl_engine_init.c

Code:
#ifdef HAVE_ECC
    SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
                         EC_KEY_new_by_curve_name(NID_secp384r1));
    /* OpenSSL assures us that _free() is NULL-safe */
    EC_KEY_free(eckey);
    EC_GROUP_free(ecparams);
#endif

It does not feel good to have to patch mod_ssl to be compliant with PCI DSS, HIPAA and NIST.

Is there a config-option that I am missing? Or a setting while generating the certificate? Remember: keeping the selected ciphers is required, but these curves should not be there:

Code:
sect193r1 (193 bits) Non-compliant with HIPAA guidance
sect193r2 (193 bits) Non-compliant with HIPAA guidance
secp192k1 (192 bits) Non-compliant with HIPAA guidance
P-192 (prime192v1) (192 bits) Non-compliant with HIPAA guidance
K-163 (sect163k1) (163 bits) Non-compliant with HIPAA guidance
sect163r1 (162 bits) Non-compliant with HIPAA guidance
B-163 (sect163r2) (163 bits) Non-compliant with HIPAA guidance
secp160k1 (161 bits) Non-compliant with HIPAA guidance
secp160r1 (161 bits) Non-compliant with HIPAA guidance
secp160r2 (161 bits) Non-compliant with HIPAA guidance


Last edited by Jan-E on Tue 05 Sep '17 12:29; edited 1 time in total
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 785
Location: Amsterdam, NL, EU

PostPosted: Tue 05 Sep '17 12:28    Post subject: Reply with quote

To answer my own question: Yes, I was missing a config option.
Code:

SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1:sect239k1:sect233k1:sect233r1:secp224k1:secp224r1

Note: this should be a one-liner.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6225
Location: Germany, Next to Hamburg

PostPosted: Tue 31 Oct '17 18:45    Post subject: Reply with quote

Isn't using SSLCipherSuite enough to use the ciphers that you need? I just would like to know. Getting smarter every day Wink
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1