logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Enable specific ciphers
Author
Shrinidhi0409



Joined: 24 Sep 2021
Posts: 18
Location: India

PostPosted: Tue 24 May '22 11:19    Post subject: Enable specific ciphers Reply with quote

Our java application is running smoothly on RHEL 8.5 OS platform. To improve the security, I want enable only few ciphers and need to block others.

CIPHERS TO BE ENABLED:

ChaCha20-Poly1305, AES-GCM, AES-CCM with key exchange of ECDHE, DHE, RSA.

NOTE : And all other ciphers are prohibited.

I have made the below changes in "ssl.conf" file.

SSLProtocol -ALL +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

But when I try to check the ciphers from server by using the "openssl s_client -connect <localhost>:443 -tls1_2", I can able to see only one cipher.

Please find the below snippet,

SSL-session:
Protocol:TLSv1.2
Cipher:ECDHE-ECDSA-CHACHA20-POLY1305

Can you please let us know about below queries,

1) Whether the above command (SSLCipherSuite) is correct or not?. If not please let me know the correct procedure. If it is correct, why other ciphers are not displayed?
2) Please let me know the command to verify the enabled ciphers in RHEL 8.5 server.
3) How to block other Ciphers other than the mentioned above?

Can you suggest the possible solutions ASAP

Regards,
Shrinidhi
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 346
Location: UK

PostPosted: Wed 25 May '22 16:08    Post subject: Reply with quote

When it connects, the s_client command shows the cipher suite used to achieve the connection. It won't list all the ciphers supported by the server. Moreover, if you don't specify "SSLHonorCipherOrder on" in your Apache configuration, the client's preferred cipher is chosen rather than the server's. You probably want the server in control.

In your SSLCipherSuite list, you've included ciphers with ECDSA authentication. ECDSA is an elliptic curve implementation of DSA, and since DSA keys are much shorter than RSA, I guess your client is choosing the ECDSA cipher over the RSA variant.

If you want to confirm your required list of ciphers is available, then simply add each required cipher to the openssl s_client command, and retest, e.g.
Code:
openssl s_client -connect HOST:PORT -cipher ECDHE-RSA-CHACHA20-POLY1305

Equally, you can use the -sigalgs option to check a connection using a required algorithm, e.g.
Code:
openssl s_client -connect HOST:PORT -sigalgs "ECDSA+SHA256"

Although it's a few years old now, the following site has a good write up explaining ciphers, algorithms and connection negotiation - https://www.thesslstore.com/blog/cipher-suites-algorithms-security-settings

This site may also be helpful - https://node-security.com/posts/openssl-testing-signature-algorithm
Back to top
Shrinidhi0409



Joined: 24 Sep 2021
Posts: 18
Location: India

PostPosted: Wed 01 Jun '22 12:05    Post subject: Reply with quote

Hi,
Thank you for the response.I used below commands to check the enabled ciphers. please find the same and their respective result.

Command 1: nmap -sV --script ssl-enum-ciphers -p 8443 <IP_Address>
Result 1:Starting Nmap 7.70 ( https://nmap.org ) at 2022-05-31 14:25 IST
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for xxxxx (XX.XXX.XX.XXX)
Host is up (0.000066s latency).PORT STATE SERVICE VERSION
8443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
|_ least strength: AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds
Please find your command and the result,

Command 2: openssl s_client -connect HOST:PORT -cipher ECDHE-RSA-CHACHA20-POLY1305
Result 2:CONNECTED(00000003)
140416325527360:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 229 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
-----------------------------------------Please let me know why "CHACHA20-POLY1305" was not included in the "Result 1". Also the command 2 got failed.
And I tried to add "AES-CCM". But it is also not included in that list.Please let me know the workaround solution to enable only "AES-GCM, AES-CCM, CHACHA20-POLY1305".
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 346
Location: UK

PostPosted: Fri 03 Jun '22 20:45    Post subject: Reply with quote

Curious; your nmap command output lists just the one cipher (an RSA one), although your original SSLCipherSuite config lists two RSA and two ECDSA ciphers.

You cannot use ECDSA ciphers if you don't present an ECDSA certificate, so my guess is your site certificate is based on an RSA algorithm. On that basis, Apache isn't able to offer the ECDSA based ciphers you've asked for.

There are a few posts on the net about configuring Apache with both RSA and ECDSA certificates, but it's not something I've any experience with, nor whether there's some magic that can be used to support both.

Are you not able to choose either RSA or ECDSA, rather than both?
Back to top


Reply to topic   Topic: Enable specific ciphers View previous topic :: View next topic
Post new topic   Forum Index -> Apache