Enhancement #460
closedSSL/TLS: check ciphers
100%
Description
- NULL,EXPORT,LOW,3DES,aNULL must be disabled
- RC4 must be disabled
- SSLv2,SSLv3 must be disabled
- TLSv1.1,TLSv1.2 must be enabled
- PFS must be enabled
- SSL Compression must be disabled
- Postgresql (default conf used
HIGH:MEDIUM:+3DES:!aNULL
) - Apache (
RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
)
- References
- https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher
- https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
- http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
- https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
- https://github.com/ioerror/duraconf
- Tools:
Updated by Pierre-Louis Bonicoli over 8 years ago
Proposition:
openssl ciphers 'TLSv1.2:!eNULL:!aNULL:!MD5:!DSS:!3DES:!EXP:!LOW:!MEDIUM:-ECDH:EECDH:-DH:EDH:!AES256-GCM-SHA384:!AES256-SHA256:!AES128-GCM-SHA256:!AES128-SHA256:@STRENGTH'
Updated by Marc Dequènes over 8 years ago
- Status changed from New to In Progress
- Priority changed from Normal to High
Updated by Pierre-Louis Bonicoli over 8 years ago
- % Done changed from 0 to 50
Configuration of Postgresql (orfeo) and Apache (thorfinn, toushirou) updated.
As stated in #454, Bip and minbif must be patched.
Updated by Marc Dequènes over 6 years ago
- Security set to Yes
While working on HTTP2 support I absolutely needed a more up-to-date cipher list, see #516. Still I would like a full-team review of these settings.
Here is the cipher list I found working for HTTP2 (seems PSK and maybe other ciphers are a no-go just by being present in the accepted list):
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Also I added these parameters on Elwing and we should review them, complement them if needed, and propagate on all web hosts:
SSLHonorCipherOrder on SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCompression off SSLSessionTickets Off
We could update /etc/apache2/mods-enabled/ssl.conf via Ansible (even is Apache is not yet managed).
Updated by Marc Dequènes over 6 years ago
- % Done changed from 50 to 90
Ansibilized.
If there is no objection I will then close this bug and of course we'll reevaluate from time to time.
Updated by Marc Dequènes over 6 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100