[WEB SECURITY] SSL Server Options - Ciphers
rd at rd1.net
Sun Jul 5 03:03:19 EDT 2009
Replies are inline:
> For our web server, with a reported customer PCI compliance
> requirement need along with increasing support questions regarding
> SSLv3 support only, the issues has made us relook at the web server
> SSL options.
> My questions is to do with better understood the various SSL (openssl)
> options to best present them to provide customers the new "best"
> security setting out of the box.
> Currently, we provide two GUI options:
> Cipher: ALL:!ADH:RC4+RSA:+SSLv3:@STRENGTH (default)
> Verify Level: None (default)
> Fail if No Peer Certificate
> Although not in the GUI, the operator can manually set the SSL
> Protocol (version) option in the config file:
> SSLProtocol = 0 to 3
> where the values are:
> # define SRV_SSL_V23 0 (default)
> # define SRV_SSL_V2 1
> # define SRV_SSL_V3 2
> # define SRV_SSL_TLS1 3
I find these choices a bit odd and disappointing. TLS is the new name
for SSL, as it was renamed when Netscape turned it over to be an open
protocol. So TLSv1 is slightly newer then SSLv3, so ideally you would
want to allow both. Unfortunately I think people seem to assume TLSv1
is older. For example most IE browsers still come default with TLSv1
disabled, because of that you would want to go with SSLv3 allowed, as
you had recommended.
> So in this case, for the customer who needs PCI compliant, we
> suggested to use:
> Cipher: ALL:!ADH:RC4+RSA:+SSLv3:!SSLv2:!aNULL:!eNULL:!NULL:@STRENGTH
> Now, in my internal testing with openssl s_client -ssl2 -connect
> host:443 and with IE and Firefox by forcing them to [X] Use SSLv2
> only, the testing seem to work. No successful SSL negotiation and
> connection was made.
> However, in the last report received on Friday from the customer, he
> indicated the PCI auditor rescan failed with the new server settings.
> So I have been trying to make sense of the ciphers and researching how
> others have addressed this.
> I guess the issue is the cipher is not correct. It needs to reduce
> the ciphers? Correct? I am going to have him try other statements.
> Does anyone have a suggestion for this cipher openssl statement for
> PCI compliance?
> The next question is about making it easier for customers by having
> them select the SSL Protocol level which will by default be associated
> to a predefine set of ciphers while still allow them to alter it from
> a default cipher set if required.
> Does that make sense from a security standpoint? Should I even allow
> SSLv2 and/or TLSv1?
Yes, in addition to the protocol version the SSL/TLS handshake also
allows negotiation of the ciphers allowed. You should not allow SSLv2,
but you also have to specify ciphers allowed. It's not clear what the
server will use for the @STRENGTH value, if you can't trace it back, you
shouldn't include it in the ciphers. You can also use the openssl
command to list the allowed ciphers using your configured string value
replacing @STRENGTH with whatever the actual value is. If the
@STRENGTH is empty, then your value of ALL:!ADH:RC4+RSA:+SSLv3:
allows plenty of weak ciphers. The cipher configuration of
ALL:!EXP:!NULL:!ADH:!LOW is recommended in the CISecurity.org Apache
benchmark for which I have been both an author and maintainer. Sample
$ openssl ciphers -v 'ALL:!EXP:!NULL:!ADH:!LOW'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
Since the SSLv2 protocol should be disable, which ciphers are allowed
with SSLv2 should be irrelevant, but if you prefer to be paranoid, like
I am, you may add a :!SSLv2 to the cipher configuration string to
remove them. something like:
$ openssl ciphers -v 'ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2'
-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
Principal Security Consultant
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity