Bug#765783: apache2: The sample TLS config should recommend a better cipher list

To: Stefan Fritsch <sf@sfritsch.de>
Cc: 765783@bugs.debian.org
Subject: Bug#765783: apache2: The sample TLS config should recommend a better cipher list
From: Francois Marier <francois@debian.org>
Date: Sun, 19 Oct 2014 12:02:55 +1300
Message-id: <[🔎] 20141018230255.GE9312@akranes.dyndns.org>
Reply-to: Francois Marier <francois@debian.org>, 765783@bugs.debian.org
In-reply-to: <2069098.VnmZYND9jm@k>
References: <[🔎] 20141018030025.26914.51025.reportbug@akranes> <2069098.VnmZYND9jm@k>

On 2014-10-18 at 21:27:24, Stefan Fritsch wrote:
> sslv3 will be disabled in the next upload (see #765347).

That's a very good start.

> I don't think enabling SSLHonorCipherOrder by default is good. It 
> makes it nearly impossible for the clients to select what they think 
> is appropriate. Also, clients will be upgraded much more often during 
> the lifetime of a Debian stable release than apache2. Therefore 
> adjusting the default ciphers to be up-to-date makes more sense on the 
> clients.

Unfortunately, that's required if you want to prevent cipher suite
downgrades. Otherwise, you may be setting a preference for good ciphers, but
it can be ignored and set to something easier to attack.

Also, it is enabled in the default config that ships with nginx in Debian.

> As an example of how this is problematic, see RC4 and SSLHonorCipherOrder
> being suggested as mitigation against BEAST, and RC4 later being found to
> be broken. This caused problems on servers where the configuration has not
> been updated afterwards.

Yes, that's the unfortunate reality of using TLS. Server admins have to keep
up with evolving security guidelines.

> Also, changing conffiles in security updates is problematic (it breaks 
> unattended-updates).

True, though in this case, server operators do have take action (for example
to disable SSLv3)

> Suggesting HSTS without detailed description of the implications is 
> out of the question, too.
>
> OCSP Stapling is useless until browsers implement some must-staple 
> extension.

That's why I left those commented out, but sure, they're not the most
important parts of this patch.

> SSL compression already defaults to off.

My apologies, I should have left that redundant bit out.

> The difference of the overly complicated suggested SSLCipherSuite 
> versus "HIGH" is rather small and does not justify the maintenance 
> problems it causes. If the default is "HIGH" in apache2, it is quite 
> easy to adjust the meaning of "HIGH" in an openssl security update if 
> necessary. Otherwise, a conffile update would be necessary to change 
> it.

I think there's a lot of value in promoting good cipher suites that enable
forward secrecy for the majority of users for example. Sure it's annoyingly
verbose, but that's the only way to achieve this at the moment.

> Therefore I am closing this bug.

I respectfully disagree with your decision. I think our users deserve a
better cipher suite.

Francois

-- 
Francois Marier           identi.ca/fmarier
http://fmarier.org      twitter.com/fmarier

Reply to:

Follow-Ups:
- Bug#765783: apache2: The sample TLS config should recommend a better cipher list
  - From: Stefan Fritsch <sf@sfritsch.de>

References:
- Bug#765783: apache2: The sample TLS config should recommend a better cipher list
  - From: Francois Marier <francois@debian.org>

Prev by Date: Bug#765783: marked as done (apache2: The sample TLS config should recommend a better cipher list)
Next by Date: Bug#765783: apache2: The sample TLS config should recommend a better cipher list
Previous by thread: Bug#765783: marked as done (apache2: The sample TLS config should recommend a better cipher list)
Next by thread: Bug#765783: apache2: The sample TLS config should recommend a better cipher list
Index(es):
- Date
- Thread