Bug#609126: Please improve default SSL configuration
Package: apache2.2-common
Version: 2.2.9-10+lenny9
Severity: wishlist
Tags: security
The default SSL configuration found on lenny (and - without having
checked - I think on squeeze and sid, too) is to use this cipher suite:
SSLCipherSuite HIGH:MEDIUM:!ADH
Lenny's openssl 0.9.8g-15+lenny11 makes this:
> $ openssl ciphers -v 'HIGH:MEDIUM:!ADH'
> DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
> AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
> AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
> EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
> DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
> RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
> RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
> RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
This includes SSLv2 ciphers, ciphers with MD5 based MAC, and ciphers are
returned in no particular order.
While SSLv2 ciphers are factually disabled by a separate mod_ssl
directive of
SSLProtocol all -SSLv2
it would seem nicer to disable it wherever possible to make it clear
they are not to be supported.
I recommend to use the following cipher suite for mod_ssl on Debian, and
would like to suggest that Debian should use this by default in Lenny
and later releases:
SSLCipherSuite HIGH:MEDIUM:!SSLv2:!aNULL:!MD5:@STRENGTH
This results in a much improved cipher list:
> $ openssl ciphers -v 'HIGH:MEDIUM:!SSLv2:!aNULL:!MD5:@STRENGTH'
> DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
> AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
> DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
> AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
At the same time, and this is important when picking a cipher suite, it
is somewhat future proof. While an approach of specifically whitelisting
or blacklisting ciphers could be better, this would require the server
administrator(s) (and/or package maintainer(s)) to continuously keep up
to speed by following the latest developments in cryptanalysis. On the
contrary, the approach suggested here is universal, disables only what
is known to be unsafe, and otherwise relies on the expertise of OpenSSL
upstream.
Tests I've run for some months now indicate that the suggested
ciphersuite does not shut out common clients.
I also recommend to add this additional statement to ssl.conf:
# Server, not client, decides on cipher order -> enforce @STRENGTH
SSLHonorCipherOrder on
Moritz
Reply to: