User story #11238
closedHardening TLS
Description
On a default installation of apache on SLES11, the security settings are pretty "relaxed", resulting in a massively poor rudder GUI / API security level.
This gives you a rating when using testssl (quite handy script @ https://github.com/drwetter/testssl.sh):
Testing protocols via sockets except SPDY+HTTP2 ----------------------------------------------------- SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered TLS 1.1 not offered TLS 1.2 not offered SPDY/NPN not offered HTTP2/ALPN not offered Testing ~standard cipher categories ----------------------------------------------------- NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES encryption (w/o export) offered (NOT ok) Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) offered (NOT ok) Triple DES Ciphers (Medium) offered High encryption (AES+Camellia, no AEAD) offered (OK) Strong encryption (AEAD ciphers) not offered Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 ---------------------------------------------------------------------------------------------------------- PFS is offered (OK) ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA Elliptic curves offered: prime256v1 Testing server preferences ----------------------------------------------------- Has server cipher order? nope (NOT ok) Negotiated protocol TLSv1 Negotiated cipher ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) (limited sense as client will pick) Negotiated cipher per proto (limited sense as client will pick) ECDHE-RSA-AES256-SHA: SSLv3, TLSv1 No further cipher order check has been done as order is determined by the client Testing vulnerabilities ----------------------------------------------------- Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/rudder" tested POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below) TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention NOT supported SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=[...] could help you to find out LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok): common prime mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus detected (1024 bits), but no DH EXPORT ciphers BEAST (CVE-2011-3389) SSL3: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA TLS1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA VULNERABLE -- and no higher protocols as mitigation supported LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength ---------------------------------------------------------------------------------------------------------- Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) ----------------------------------------------------------------------------------------------------------------------------- xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x39 DHE-RSA-AES256-SHA DH 1024 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x88 DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x33 DHE-RSA-AES128-SHA DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x45 DHE-RSA-CAMELLIA128-SHA DH 1024 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA xc011 ECDHE-RSA-RC4-SHA ECDH 256 RC4 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5 xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA x16 EDH-RSA-DES-CBC3-SHA DH 1024 3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA x15 EDH-RSA-DES-CBC-SHA DH 1024 DES 56 TLS_DHE_RSA_WITH_DES_CBC_SHA x09 DES-CBC-SHA RSA DES 56 TLS_RSA_WITH_DES_CBC_SHA Running client simulations via sockets ----------------------------------------------------- Android 2.3.7 TLSv1.0 RC4-MD5 Android 4.1.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 4.2.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 4.4.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 5.0.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 6.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 7.0 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Baidu Jan 2015 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Chrome 51 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Edge 13 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Edge 13 Win Phone 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Firefox 49 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Firefox 49 XP SP3 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.0 AES128-SHA IE 11 Win Phone 8.1 Update TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 6 XP SSLv3 RC4-MD5 IE 7 Vista TLSv1.0 AES128-SHA IE 8 Win 7 TLSv1.0 AES128-SHA IE 8 XP TLSv1.0 RC4-MD5 Java 6u45 TLSv1.0 RC4-MD5 Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Java 8b132 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) OpenSSL 1.0.1l TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 5.1.9 OS X 10.6.8 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Safari 6.0.4 OS X 10.8.4 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 7 OS X 10.9 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 8 OS X 10.10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 9 iOS 9 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 9 OS X 10.11 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 10 OS X 10.12 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Apple ATS 9 iOS 9 No connection Tor 17.0.9 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Putting some effort in it, I think I have came up with a quite good set of settings for Rudder root/relay servers regarding SSL/TLS hardening:
SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "HIGH:!DH:!ADH:!MD5:!RC4:!aNULL:!eNULL:!LOW:!3DES:!EXP:!PSK:!SRP:!DSS"
This will make it almost "good", but not "extraordinary secure" (you have to know that SLES11 still has openssl0.9.8, which is a very big limitation).
Here are the test results after applying these:
Testing protocols via sockets except SPDY+HTTP2 ----------------------------------------------------- SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 not offered TLS 1.2 not offered SPDY/NPN not offered HTTP2/ALPN not offered Testing ~standard cipher categories ----------------------------------------------------- NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES encryption (w/o export) not offered (OK) Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK) Triple DES Ciphers (Medium) not offered (OK) High encryption (AES+Camellia, no AEAD) offered (OK) Strong encryption (AEAD ciphers) not offered Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 ---------------------------------------------------------------------------------------------------------- PFS is offered (OK) ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 Testing server preferences ----------------------------------------------------- Has server cipher order? yes (OK) Negotiated protocol TLSv1 Negotiated cipher ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Cipher order TLSv1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA AES256-SHA AES128-SHA [some parts are cut] Testing vulnerabilities ---------------------------------------------------------------------------------------------------------- Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/rudder" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention NOT supported SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=[...] could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA AES256-SHA AES128-SHA VULNERABLE -- and no higher protocols as mitigation supported LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength ---------------------------------------------------------------------------------------------------------- Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) ----------------------------------------------------------------------------------------------------------------------------- xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Running client simulations via sockets ----------------------------------------------------- Android 2.3.7 TLSv1.0 AES128-SHA Android 4.1.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 4.2.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 4.4.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 5.0.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 6.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 7.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Baidu Jan 2015 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Chrome 51 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Edge 13 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Edge 13 Win Phone 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Firefox 49 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Firefox 49 XP SP3 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win Phone 8.1 Update TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 6 XP No connection IE 7 Vista TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 8 XP No connection Java 6u45 TLSv1.0 AES128-SHA Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Java 8b132 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) OpenSSL 1.0.1l TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 5.1.9 OS X 10.6.8 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 6.0.4 OS X 10.8.4 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 7 OS X 10.9 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 8 OS X 10.10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 9 iOS 9 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 9 OS X 10.11 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 10 OS X 10.12 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Apple ATS 9 iOS 9 No connection Tor 17.0.9 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Updated by François ARMAND over 7 years ago
Thanks, this is very much appreciated. Benoit, would it be possible to use these configuration as a default in Rudder ?
Updated by François ARMAND over 7 years ago
This should at minima be documented so that people can actually find these very valuable information.
Updated by Janos Mattyasovszky over 7 years ago
How about creating an additional RPM for SLES11, which could be installed additionally for hardening?
Maybe called rudder-server-hardening-web
, that could drop in an additional file in /opt/rudder/etc/rudder-apache-hardening-ssl.conf
?
Updated by Benoît PECCATTE almost 7 years ago
- Target version set to Ideas (not version specific)
Updated by Alexis Mousset about 6 years ago
- Subject changed from Hardening TLS on SLES11 to Hardening TLS
- Target version changed from Ideas (not version specific) to 6.0.0~beta1
Let's target 5.1 we need to change:
- Apache configuration
- CFEngine configuration
I think we can target TLS 1.2 with modern ciphers almost everywhere as we embed openssl/curl on old agents.
Updated by Alexis Mousset over 5 years ago
- Related to Architecture #14786: Force TLS1.2 communication between agent and server added
Updated by Vincent MEMBRÉ about 5 years ago
- Target version changed from 6.0.0~beta1 to 6.0.0
Updated by Alexis Mousset about 5 years ago
- Target version changed from 6.0.0 to Ideas (not version specific)
Updated by Alexis Mousset almost 3 years ago
- Status changed from New to Resolved
Done for CFEngine which is now TLS 1.2+ with modern cipher, ans same for apache.