[WEB SECURITY] SSL Server Options - Ciphers

Ralph Durkee rd at rd1.net
Sun Jul 5 03:03:19 EDT 2009

Replies are inline:

Hector wrote:
> Folks,
> For our web server, with a reported customer PCI compliance  
> requirement need along with increasing support questions regarding 
> SSLv3 support only, the issues has made us relook at the web server 
> SSL options.
> My questions is to do with better understood the various SSL (openssl) 
> options to best present them to provide customers the new "best" 
> security setting out of the box.
> Currently,  we provide two GUI options:
>   Cipher:  ALL:!ADH:RC4+RSA:+SSLv3:@STRENGTH  (default)
>   Verify Level:  None  (default)
>                        Peer
>                        Fail if No Peer Certificate
> Although not in the GUI, the operator can manually set the SSL 
> Protocol (version) option in the config file:
>    SSLProtocol = 0 to 3
> where the values are:
> # define SRV_SSL_V23    0  (default)
> # define SRV_SSL_V2     1
> # define SRV_SSL_V3     2
> # define SRV_SSL_TLS1   3
I find these choices a bit odd and disappointing.  TLS is the new name 
for SSL, as it was renamed when Netscape turned it over to be an open 
protocol.  So TLSv1 is slightly newer then SSLv3, so ideally you would 
want to allow both.  Unfortunately I think people seem to assume TLSv1 
is older.  For example most IE browsers still come default with TLSv1 
disabled, because of that you would want to go with SSLv3 allowed, as 
you had recommended.

> So in this case, for the customer who needs PCI compliant, we 
> suggested to use:
>    SSLProtocol=2
> Now, in my internal testing with openssl s_client -ssl2 -connect 
> host:443  and with IE and Firefox by forcing them to [X] Use SSLv2 
> only,   the testing seem to work.  No successful SSL negotiation and 
> connection was made.
> However, in the last report received on Friday from the customer, he 
> indicated the PCI auditor rescan failed with the new server settings.
> So I have been trying to make sense of the ciphers and researching how 
> others have addressed this.
> I guess the issue is the cipher is not correct.  It needs to reduce 
> the ciphers?  Correct?  I am going to have him try other statements.  
> Does anyone have a suggestion for this cipher openssl statement for 
> PCI compliance?
> The next question is about making it easier for customers by having 
> them select the SSL Protocol level which will by default be associated 
> to a predefine set of ciphers  while still allow them to alter it from 
> a default cipher set if required.
> Does that make sense from a security standpoint?   Should I even allow 
> SSLv2 and/or TLSv1?
> Thanks
Yes, in addition to the protocol version the SSL/TLS handshake also 
allows negotiation of the ciphers allowed. You should not allow SSLv2, 
but you also have to specify ciphers allowed.  It's not clear what the 
server will use for the @STRENGTH value, if you can't trace it back, you 
shouldn't include it in the ciphers.  You can also use the openssl 
command to list the allowed ciphers using your  configured string value  
replacing @STRENGTH  with  whatever the actual value is.  If the  
@STRENGTH  is empty, then  your value of  ALL:!ADH:RC4+RSA:+SSLv3: 
allows plenty of weak ciphers.  The cipher configuration of  
ALL:!EXP:!NULL:!ADH:!LOW  is recommended in the CISecurity.org Apache 
benchmark for which I have been both an author and maintainer. Sample 

$ openssl ciphers -v 'ALL:!EXP:!NULL:!ADH:!LOW'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5

Since the SSLv2 protocol should be disable, which ciphers are allowed 
with SSLv2 should be irrelevant, but if you prefer to be paranoid, like 
I am, you may add a   :!SSLv2 to the cipher configuration string to 
remove them.  something like:

$ openssl ciphers -v 'ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2'

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
Principal Security Consultant

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list