Enhancement #460: SSL/TLS: check ciphers - DuckCorp Infrastructure - DuckCorp Projects

Custom queries

CHECK: Hold Work
CHECK: Not Us
CHECK: Unassigned
TODO: Reviews
TODO: Tasks
VIEW: Issues Map

Actions

Copy link

Enhancement #460

closed

SSL/TLS: check ciphers

Added by Pierre-Louis Bonicoli almost 9 years ago. Updated over 6 years ago.

Status:

Resolved

Priority:

High

Assignee:

DC Admins

Category:

Start date:

2015-07-09

Due date:

% Done:

100%

Estimated time:

Patch Available:

Confirmed:

Branch:

Entity:

DuckCorp

Security:

Yes

Help Needed:

Description

Checks:

NULL,EXPORT,LOW,3DES,aNULL must be disabled
RC4 must be disabled
SSLv2,SSLv3 must be disabled
TLSv1.1,TLSv1.2 must be enabled
PFS must be enabled

SSL Compression must be disabled

Configuration updates needed:

Postgresql (default conf used HIGH:MEDIUM:+3DES:!aNULL)
Apache (RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW)

References
Tools:
- https://github.com/jvehent/tlsnames/blob/master/convert_openssl_to_gnutls.sh

History
Notes
Property changes

Actions

Copy link

Updated by Pierre-Louis Bonicoli almost 9 years ago

Proposition:

openssl ciphers 'TLSv1.2:!eNULL:!aNULL:!MD5:!DSS:!3DES:!EXP:!LOW:!MEDIUM:-ECDH:EECDH:-DH:EDH:!AES256-GCM-SHA384:!AES256-SHA256:!AES128-GCM-SHA256:!AES128-SHA256:@STRENGTH'

Actions

Copy link

Updated by Pierre-Louis Bonicoli almost 9 years ago

Description updated (diff)

Actions

Copy link

Updated by Marc Dequènes almost 9 years ago

Status changed from New to In Progress
Priority changed from Normal to High

Actions

Copy link

Updated by Pierre-Louis Bonicoli over 8 years ago

% Done changed from 0 to 50

Configuration of Postgresql (orfeo) and Apache (thorfinn, toushirou) updated.

As stated in #454, Bip and minbif must be patched.

Actions

Copy link

Updated by Marc Dequènes almost 7 years ago

Assignee set to DC Admins

Actions

Copy link

Updated by Marc Dequènes almost 7 years ago

Security set to Yes

While working on HTTP2 support I absolutely needed a more up-to-date cipher list, see #516. Still I would like a full-team review of these settings.

Here is the cipher list I found working for HTTP2 (seems PSK and maybe other ciphers are a no-go just by being present in the accepted list):

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Also I added these parameters on Elwing and we should review them, complement them if needed, and propagate on all web hosts:

SSLHonorCipherOrder on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLSessionTickets Off

We could update /etc/apache2/mods-enabled/ssl.conf via Ansible (even is Apache is not yet managed).

Actions

Copy link

Updated by Marc Dequènes over 6 years ago

% Done changed from 50 to 90

Ansibilized.

If there is no objection I will then close this bug and of course we'll reevaluate from time to time.

Actions

Copy link

Updated by Marc Dequènes over 6 years ago

Status changed from In Progress to Resolved
% Done changed from 90 to 100

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DuckCorp » DuckCorp Infrastructure

Custom queries

Enhancement #460

SSL/TLS: check ciphers

Updated by Pierre-Louis Bonicoli almost 9 years ago

Updated by Pierre-Louis Bonicoli almost 9 years ago

Updated by Marc Dequènes almost 9 years ago

Updated by Pierre-Louis Bonicoli over 8 years ago

Updated by Marc Dequènes almost 7 years ago

Updated by Marc Dequènes almost 7 years ago

Updated by Marc Dequènes over 6 years ago

Updated by Marc Dequènes over 6 years ago