Bug#765783: marked as done (apache2: The sample TLS config should recommend a better cipher list)
Your message dated Sat, 18 Oct 2014 21:27:24 +0200
with message-id <2069098.VnmZYND9jm@k>
and subject line Re: Bug#765783: apache2: The sample TLS config should recommend a better cipher list
has caused the Debian Bug report #765783,
regarding apache2: The sample TLS config should recommend a better cipher list
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
765783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765783
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.10-5
Severity: important
Tags: patch
Here's a patch for the sample TLS configuration which follows Mozilla's
intermediate compatibility config:
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache
It makes Apache pick the best possible ciphers (for example, giving users
forward secrecy) and also recommends turning on HSTS to defeat sslstrip
attacks.
Also note that it disables SSLv3 to fix the POODLE attack discovered
this week.
Francois
diff --git a/debian/config-dir/sites-available/default-ssl.conf b/debian/config-dir/sites-available/default-ssl.conf
index 432b965..6aaf5f2 100644
--- a/debian/config-dir/sites-available/default-ssl.conf
+++ b/debian/config-dir/sites-available/default-ssl.conf
@@ -24,6 +24,22 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ # Mozilla's recommended intermediate compatibility cipher list
+ # https://wiki.mozilla.org/Security/Server_Side_TLS#Apache
+ SSLProtocol all -SSLv2 -SSLv3
+ SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+ SSLHonorCipherOrder on
+ SSLCompression off
+
+ # OCSP Stapling
+ #SSLUseStapling on
+ #SSLStaplingResponderTimeout 5
+ #SSLStaplingReturnResponderErrors off
+ #SSLStaplingCache shmcb:/var/run/ocsp(128000)
+
+ # Enable this if your want HSTS (recommended)
+ #Header add Strict-Transport-Security "max-age=15768000"
+
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
--- End Message ---
--- Begin Message ---
On Saturday 18 October 2014 16:00:25, Francois Marier wrote:
> Here's a patch for the sample TLS configuration which follows
> Mozilla's intermediate compatibility config:
>
> https://wiki.mozilla.org/Security/Server_Side_TLS#Apache
>
> It makes Apache pick the best possible ciphers (for example, giving
> users forward secrecy) and also recommends turning on HSTS to
> defeat sslstrip attacks.
>
> Also note that it disables SSLv3 to fix the POODLE attack discovered
> this week.
sslv3 will be disabled in the next upload (see #765347).
For the rest, I don't think the suggested configuration is a good
default:
I don't think enabling SSLHonorCipherOrder by default is good. It
makes it nearly impossible for the clients to select what they think
is appropriate. Also, clients will be upgraded much more often during
the lifetime of a Debian stable release than apache2. Therefore
adjusting the default ciphers to be up-to-date makes more sense on the
clients.
As an example of how this is problematic, see RC4 and
SSLHonorCipherOrder being suggested as mitigation against BEAST, and
RC4 later being found to be broken. This caused problems on servers
where the configuration has not been updated afterwards.
Also, changing conffiles in security updates is problematic (it breaks
unattended-updates).
Suggesting HSTS without detailed description of the implications is
out of the question, too.
OCSP Stapling is useless until browsers implement some must-staple
extension.
SSL compression already defaults to off.
The difference of the overly complicated suggested SSLCipherSuite
versus "HIGH" is rather small and does not justify the maintenance
problems it causes. If the default is "HIGH" in apache2, it is quite
easy to adjust the meaning of "HIGH" in an openssl security update if
necessary. Otherwise, a conffile update would be necessary to change
it.
Therefore I am closing this bug.
--- End Message ---
Reply to: