Author |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Wed 11 Dec '13 18:57 Post subject: |
|
|
Did you try it with SSLCertificateFile or with SSLCACertficateFile?
Reading the mod_ssl documentation for 2.4.x it says DH and ECDH parameters are only read from the first SSLCertificateFile directive.
But even this was not working in my tests. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7294 Location: Germany, Next to Hamburg
|
Posted: Thu 12 Dec '13 12:27 Post subject: |
|
|
You are right! I used the wrong directive
Now with SSLCertificateFile I get at least an error. (removed pid and date so the message is not too long for the forum)
Code: |
[ssl:emerg] AH02241: Init: Unable to read server certificate from file /opt/apache2/conf/certs/dh_4096.pem
[ssl:emerg] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[ssl:emerg] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509)
[ssl:emerg] AH02312: Fatal error initialising mod_ssl, exiting.
|
|
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 12 Dec '13 12:36 Post subject: |
|
|
It also states very easy to miss, to append your certificate with the DH key, it just must be in the first SSLCertificateFile listed.
http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html
Quote: | To generate custom DH parameters, use the openssl dhparam command. Alternatively, you can append the following standard 1024-bit DH parameters from RFC 2409, section 6.2 to the respective SSLCertificateFile file: |
This clued me in so I did just that with my generated 4096bit DH and Apache started. Did it change my score on SSLLabs test ... not one bit! |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7294 Location: Germany, Next to Hamburg
|
Posted: Thu 12 Dec '13 12:41 Post subject: |
|
|
Gregg your config?
Cause now in short I used
Code: |
SSLEngine on
SSLCertificateFile /opt/apache2/conf/certs/dh_4096.pem
SSLCertificateFile /opt/apache2/conf/certs/ah.de.2013.crt
SSLCertificateKeyFile /opt/apache2/conf/certs/ah.de.2013.key
SSLCertificateChainFile /opt/apache2/conf/certs/sub.class1.server.ca.pem
SSLCACertificateFile /opt/apache2/conf/certs/ca.pem
|
P.S: You are still awake? |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 12 Dec '13 12:58 Post subject: |
|
|
Yes I am still awake for a short time.
Standard old SSL config, just I pasted the DH to the bottom of my StartSSL certificate.
conf/ssl/mysslcertificate.crt
Code: | -----BEGIN CERTIFICATE-----
** a lot of lines of gibberish **
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
** another bunch of lines of gibberish **
-----END DH PARAMETERS----- |
So you would remove from your config
SSLCertificateFile /opt/apache2/conf/certs/dh_4096.pem
Open that file, copy the gibberish and paste it to the bottom of your certificate at
/opt/apache2/conf/certs/ah.de.2013.crt |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7294 Location: Germany, Next to Hamburg
|
Posted: Thu 12 Dec '13 13:26 Post subject: |
|
|
glsmith wrote: |
This clued me in so I did just that with my generated 4096bit DH and Apache started. Did it change my score on SSLLabs test ... not one bit! |
Ok I see I have to go to lunch to refill the energy.
Now with the appended stuff in the cert I also have no change in the SSL test lab result.
@jraute What is the advantage of using DH Key with the same score? |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Thu 12 Dec '13 18:48 Post subject: |
|
|
Well the questions is not always a question of a scoring.
In this special case it was the idea of having self calculated dh-params for a reliable secure initialization of a secure channel. And for that it is a great option to define additional "settings". Maybe you want to have a 4096 bit key with a 8192 bit dh-param file. Therefore you would have to choose a different way than usually.
Besides this, i am not convinced, that copying the dh-param file into the certificate leads to a usage of this dh-params.
Have you checked the initialization phase and the used keys? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7294 Location: Germany, Next to Hamburg
|
Posted: Thu 12 Dec '13 21:14 Post subject: |
|
|
jraute wrote: |
Besides this, i am not convinced, that copying the dh-param file into the certificate leads to a usage of this dh-params.
|
it was the only way getting apache start at all.
jraute wrote: |
Have you checked the initialization phase and the used keys? |
Nope, I haven't. I don't know how to. So how can I see it? (now in genglish: Don't let me die stupid )
At least I know that the DH should offer a symetric encrytion (IIRC). Which makes it a weakness for man in the middle attacks. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 12 Dec '13 21:32 Post subject: |
|
|
Initialization phase checked and I see nothing. ssl:trace8
I am convinced this is the way to do it however, if you read the docs for the SSLCertificateFile directive it says the same thing in an indirect way, it even says you can optionally include the private key in the file.
This is much like Mongoose in that you only have one file and you paste the private key under the certificate in the file.
As far as ciphers used:
Code: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 128
**TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 128 |
** want to rid myself of this one
I'm not sure we are going to see anything different since Apache now sends it's own DH if you do not include any DH parameters in your certificate, as seen by my other server where I have not used my own DH and I still get for Java6u45
Client does not support DH parameters > 1024 bits |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7294 Location: Germany, Next to Hamburg
|
Posted: Thu 12 Dec '13 22:55 Post subject: |
|
|
Gregg,
why don't you disable camellia with SSLCipherSuite ... :!DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:... ? You still can use DHE_RSA_WITH_CAMELLIA_256_CBC_SHA |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Fri 13 Dec '13 0:13 Post subject: |
|
|
James Blond wrote: | jraute wrote: |
Besides this, i am not convinced, that copying the dh-param file into the certificate leads to a usage of this dh-params.
|
it was the only way getting apache start at all. |
That was no criticism. I just thought that we don't know for sure what dh-parameter set was used - the built in or the self calculated one.
James Blond wrote: | jraute wrote: |
Have you checked the initialization phase and the used keys? |
Nope, I haven't. I don't know how to. So how can I see it? (now in genglish: Don't let me die stupid )
At least I know that the DH should offer a symetric encrytion (IIRC). Which makes it a weakness for man in the middle attacks. |
I would prefer wireshark to trace the key exchange although i have no experience in doing that.
I know from some other sites that you can load a file with logged master keys into wireshark to decrypt the traced content.
Anyway it would be a hassle to prove which dh-parameter was used to build the master keys.
I suppose this last thing we cannot prove.
Last edited by jraute on Fri 13 Dec '13 15:23; edited 2 times in total |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Fri 13 Dec '13 0:27 Post subject: |
|
|
Hahaha, why so complicated.
It's just too late, sorry.
If i get it right (well, it's later than before ), the test is very easy.
As long as we don't have any self calculated dh-parameters apache creates keys with the same bit size the certificate has.
If we then would attach a self calculated dh-parameter in a smaller bit size it should be visible which dh-parameter is used. |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Fri 13 Dec '13 10:09 Post subject: |
|
|
Ok, test is done.
Attaching a 1024 bit dh-parameter to the certificate file while the rsa key is 4096 bit.
Result: It works! You get 1024 bit dh keys while the rest works in 4096.
So i assume that the other way round would work as well.
But the most important thing - we can use our self calculated dh parameter settings.
Great!
Thanks to all who helped with tests etc. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 13 Dec '13 11:10 Post subject: |
|
|
James Blond wrote: | Gregg,
why don't you disable camellia with SSLCipherSuite ... :!DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:... ? You still can use DHE_RSA_WITH_CAMELLIA_256_CBC_SHA |
Actually, I don't want any of the Camillia ciphers |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Fri 13 Dec '13 14:01 Post subject: |
|
|
glsmith wrote: | Actually, I don't want any of the Camillia ciphers |
You can disable camellia for all ciphersuites or define the wished ones by type. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7294 Location: Germany, Next to Hamburg
|
Posted: Fri 13 Dec '13 15:51 Post subject: |
|
|
For ssl debuggin I tried openssl s_client -connect example.com:443 -state -nbio
There was no difference between w/out DH-Key.
Here the diff from the two results
http://pastebin.com/3NSkDsLZ
in both cases the init phase was
Code: |
Loading 'screen' into random state - done
CONNECTED(0000015C)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:SSLv3 read server hello A
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediat
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read server session ticket A
SSL_connect:error in SSLv3 read server session ticket A
read R BLOCK
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
read R BLOCK
|
|
|
Back to top |
|