Project

General

Profile

Actions

Enhancement #460

closed

SSL/TLS: check ciphers

Added by Pierre-Louis Bonicoli over 8 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Start date:
2015-07-09
Due date:
% Done:

100%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

Checks:
  • NULL,EXPORT,LOW,3DES,aNULL must be disabled
  • RC4 must be disabled
  • SSLv2,SSLv3 must be disabled
  • TLSv1.1,TLSv1.2 must be enabled
  • PFS must be enabled
  • SSL Compression must be disabled
Configuration updates needed:
  • Postgresql (default conf used HIGH:MEDIUM:+3DES:!aNULL)
  • Apache (RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW)
Actions #1

Updated by Pierre-Louis Bonicoli over 8 years ago

Proposition:

openssl ciphers 'TLSv1.2:!eNULL:!aNULL:!MD5:!DSS:!3DES:!EXP:!LOW:!MEDIUM:-ECDH:EECDH:-DH:EDH:!AES256-GCM-SHA384:!AES256-SHA256:!AES128-GCM-SHA256:!AES128-SHA256:@STRENGTH'

Actions #2

Updated by Pierre-Louis Bonicoli over 8 years ago

  • Description updated (diff)
Actions #3

Updated by Marc Dequènes over 8 years ago

  • Status changed from New to In Progress
  • Priority changed from Normal to High
Actions #4

Updated by Pierre-Louis Bonicoli over 8 years ago

  • % Done changed from 0 to 50

Configuration of Postgresql (orfeo) and Apache (thorfinn, toushirou) updated.

As stated in #454, Bip and minbif must be patched.

Actions #5

Updated by Marc Dequènes almost 7 years ago

  • Assignee set to DC Admins
Actions #6

Updated by Marc Dequènes over 6 years ago

  • Security set to Yes

While working on HTTP2 support I absolutely needed a more up-to-date cipher list, see #516. Still I would like a full-team review of these settings.

Here is the cipher list I found working for HTTP2 (seems PSK and maybe other ciphers are a no-go just by being present in the accepted list):

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Also I added these parameters on Elwing and we should review them, complement them if needed, and propagate on all web hosts:

SSLHonorCipherOrder on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLSessionTickets Off

We could update /etc/apache2/mods-enabled/ssl.conf via Ansible (even is Apache is not yet managed).

Actions #7

Updated by Marc Dequènes over 6 years ago

  • % Done changed from 50 to 90

Ansibilized.

If there is no objection I will then close this bug and of course we'll reevaluate from time to time.

Actions #8

Updated by Marc Dequènes over 6 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100
Actions

Also available in: Atom PDF