SSL Best Practices and Testing

Background/References

• Qualys SSL Labs
  • Projects
    • SSL Server Test - an online SSL tester. (Only does port 443.)
    • SSL Server Rating Guide - a method for rating SSL servers. Used by the scanner above.
    • SSL/TLS Deployment Best Practices - document on SSL deployment best practices.
• SSL Scan - command line SSL scanner. Available in many operating system distributions. Cipher suite only.
• sslyze scanner - full-featured scanner
  • wiki documentation
• Better Crypto - Applied Cryptography Hardening
• OWASP: Transport Layer Protection Cheat Sheet
• Mozilla Wiki: Security/Server Side TLS
• Google: A roster of TLS cipher suites weaknesses
• gnutls-cli
  • part of gnutls-utils

Best Practices

Much of this is based on the Qualys SSL/TLS Deployment Best Practices document.

Security

• Certificates
  • Key length: 2048 or longer (avoid > 4096)
    • Verify not known weak key (Debian OpenSSL flaw)
  • Subject Name
    • X509v3 Subject Alternative Name
  • Chain
  • Validity period
• Protocols (in order of preference)
  • TLS v1.1 anc v1.2 (not widely supported)
  • TLSv1.0
  • SSLv3
  • Do not use SSLv2
• Cipher Suites
  • Do not use keys of less than 128 bits.
  • Disable Anonymous Diffie-Hellman (ADH) suites
  • Disable NULL suites
• Disable client-initiated renegotiation.
  • How to check for client-initiated renegotiation
• Disable insecure renegotiation.
• Consider disabling TLS Compression and Next Protocol Support
  • CRIME: Information Leakage Attack against SSL/TLS
• RC4
  • RC4 in TLS is Broken: Now What?
  • Old: Prioritize RC4 to mitigate the BEAST attack.
    • Old: RC4 is considered a weaker cipher, but it is prioritized for server-side beast mitigation.
    • Old: Is RC4 safe for use in SSL?
• Use HTTP Strict Transport Security where practical.

Performance

• Advanced Encryption Standard (AES) Instruction Set - AES is supported in some hardware.
• OpenSSL speed - command to test SSL performance
• OpenSSL Cipher Selection
• RC4 is probably the highest performing cipher (unless you have hardware AES). See above about BEAST and RC4 security.
• The Diffie-Hellman Ephemeral ciphers, such as DHE-RSA-AES256-SHA are slow.
  • You can disable them in OpenSSL with !kEDH
  • These ciphers do provide perfect forward secrecy though.
  • hivemind devops alert: nginx does not suck at ssl
• Excessive key lengths hurt performance. Do not use keys larger than 4096/256 bits.
• Maintaining a persistant connection reduces the initial startup overhead of SSL.
• Prioritize AES over 3DES.

Configuration Hints

OpenSSL

• OpenSSL ciphers command
  • openssl ciphers -v ALL will show all available ciphers
  • openssl ciphers -v will show the default list of ciphers
  • openssl ciphers -v 'CipherString' will show the default list available ciphers bases on CipherString
  • see the man page for the specification of the cipher string
• specifications (under development)
  • Prefix character
    • none: add cipher to list
    • + - move matching ciphers to the current location in list
    • - - remove cipher from list (can be added later again)
    • ! - kill cipher from list completely (can not be added later again)
  • !SSLv2:!LOW:!EXPORT:!aNULL:!eNULL should probably always be included. This is the stuff you never want.
  • @STRENGTH shoud not be used if you order RC4 first for BEAST mitigation or performance.
  • !MEDIUM will turn off RC4. -MEDIUM:RC4 should work if you want RC4 but not other medium ciphers.
    • Prioritizing RC4 reduces CPU and defends against BEAST. Not necessary if TLSv1.1 or TLSv1.2 is available.
  • ?kEDH ephemeral Diffie Hellman?
    • kEDH is slow: http://matt.io/technobabble/hivemind_devops_alert:_nginx_does_not_suck_at_ssl
  • TLSv1:SSLv3:!SSLv2:!LOW:!EXPORT:!aNULL:!eNULL
  • ALL:!SSLv2:!EXPORT:!LOW:!aNULL:!eNULL
  • RC4-SHA:HIGH:!kEDH http://feeding.cloud.geek.nz/2011/11/ideal-openssl-configuration-for-apache.html
  • RC4:AES128-SHA:AES:CAMELLIA128-SHA:!ADH:!aNULL:!DH:!EDH:!eNULL:!LOW:!SSLv2:!EXP:!NULL
    • From OpenSSL: Cipher Selection. (Note order of AES and RC4 based on hardware AES.)
  • ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK - from https://wiki.mozilla.org/Security/Server_Side_TLS.
• OpenSSL Options
  • SSL_OP_CIPHER_SERVER_PREFERENCE
  • See the page for various renegotiation options.
• Protocols
  • You do not need SSLv3 if you are using Server Name Indication

Apache (mod_ssl)

• SSLProtocol TLSv1
• SSLHonorCipherOrder On (with SSLCipherSuite RC4-SHA:HIGH:!kEDH)
• Article: Ideal OpenSSL configuration for Apache and nginx
• You can use SSLCompression off if you're on 2.2.24 or later. If not, you can set the OPENSSL_NO_DEFAULT_ZLIB environment variable to force compression off in OpenSSL. (/etc/sysconfig/httpd: export OPENSSL_NO_DEFAULT_ZLIB=1)

NGiNX

• ssl_protocols TLSv1;
• ssl_ciphers RC4-SHA:HIGH:!kEDH;
• ssl_prefer_server_ciphers on;
• add_header Strict-Transport-Security max-age=15768000;
• Article: Ideal OpenSSL configuration for Apache and nginx

stunnel

• ciphers =
• options =
  • The parameter is the OpenSSL option name as described in the SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. Several options can be used to specify multiple options.

dovecot

• ssl_cipher_list =

TODO

• PCI compliance
• FIPS compliance
• openssl renegotiation options
• gain some understanding of what restrictions allow most clients to still work