Project

General

Profile

User story #11238

Hardening TLS

Added by Janos Mattyasovszky over 1 year ago. Updated 4 months ago.

Status:
New
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
Pull Request:
Suggestion strength:
Advise - This would make Rudder significantly better | easier | simpler
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:

Description

On a default installation of apache on SLES11, the security settings are pretty "relaxed", resulting in a massively poor rudder GUI / API security level.

This gives you a rating when using testssl (quite handy script @ https://github.com/drwetter/testssl.sh):

 Testing protocols via sockets except SPDY+HTTP2
-----------------------------------------------------
 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    not offered
 TLS 1.2    not offered
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher categories
-----------------------------------------------------
 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     offered (NOT ok)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    offered (NOT ok)
 Triple DES Ciphers (Medium)                   offered
 High encryption (AES+Camellia, no AEAD)       offered (OK)
 Strong encryption (AEAD ciphers)              not offered

 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
----------------------------------------------------------------------------------------------------------
 PFS is offered (OK)          ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA
                              DHE-RSA-CAMELLIA128-SHA
 Elliptic curves offered:     prime256v1

 Testing server preferences
-----------------------------------------------------
 Has server cipher order?     nope (NOT ok)
 Negotiated protocol          TLSv1
 Negotiated cipher            ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) (limited sense as client will pick)
 Negotiated cipher per proto  (limited sense as client will pick)
     ECDHE-RSA-AES256-SHA:          SSLv3, TLSv1
 No further cipher order check has been done as order is determined by the client

 Testing vulnerabilities
-----------------------------------------------------
 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/rudder" tested
 POODLE, SSL (CVE-2014-3566)               VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention NOT supported
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=[...] could help you to find out
 LOGJAM (CVE-2015-4000), experimental      VULNERABLE (NOT ok): common prime mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus detected (1024 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     SSL3: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA
                                                 CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA
                                                 AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
                                                 EDH-RSA-DES-CBC-SHA DES-CBC-SHA
                                           TLS1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA
                                                 CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA
                                                 AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
                                                 EDH-RSA-DES-CBC-SHA DES-CBC-SHA
                                           VULNERABLE -- and no higher protocols as mitigation supported
 LUCKY13 (CVE-2013-0169)                   VULNERABLE, uses cipher block chaining (CBC) ciphers
 RC4 (CVE-2013-2566, CVE-2015-2808)        VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5

 Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
----------------------------------------------------------------------------------------------------------

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x39     DHE-RSA-AES256-SHA                DH 1024    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 x88     DHE-RSA-CAMELLIA256-SHA           DH 1024    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 x45     DHE-RSA-CAMELLIA128-SHA           DH 1024    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
 xc011   ECDHE-RSA-RC4-SHA                 ECDH 256   RC4         128      TLS_ECDHE_RSA_WITH_RC4_128_SHA
 x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA
 x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5
 xc012   ECDHE-RSA-DES-CBC3-SHA            ECDH 256   3DES        168      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
 x16     EDH-RSA-DES-CBC3-SHA              DH 1024    3DES        168      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
 x15     EDH-RSA-DES-CBC-SHA               DH 1024    DES         56       TLS_DHE_RSA_WITH_DES_CBC_SHA
 x09     DES-CBC-SHA                       RSA        DES         56       TLS_RSA_WITH_DES_CBC_SHA

 Running client simulations via sockets
-----------------------------------------------------
 Android 2.3.7                TLSv1.0 RC4-MD5
 Android 4.1.1                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 4.2.2                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 4.4.2                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 6.0                  TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Baidu Jan 2015               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Chrome 51 Win 7              TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Edge 13 Win 10               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Edge 13 Win Phone 10         TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Firefox 49 Win 7             TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Firefox 49 XP SP3            TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win 7                  TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.0 AES128-SHA
 IE 11 Win Phone 8.1 Update   TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 6 XP                      SSLv3   RC4-MD5
 IE 7 Vista                   TLSv1.0 AES128-SHA
 IE 8 Win 7                   TLSv1.0 AES128-SHA
 IE 8 XP                      TLSv1.0 RC4-MD5
 Java 6u45                    TLSv1.0 RC4-MD5
 Java 7u25                    TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8b132                   TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 OpenSSL 1.0.1l               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 5.1.9 OS X 10.6.8     TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Safari 6.0.4 OS X 10.8.4     TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 7 OS X 10.9           TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 8 OS X 10.10          TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 9 iOS 9               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 9 OS X 10.11          TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 10 OS X 10.12         TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Apple ATS 9 iOS 9            No connection
 Tor 17.0.9 Win 7             TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)

Putting some effort in it, I think I have came up with a quite good set of settings for Rudder root/relay servers regarding SSL/TLS hardening:

SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "HIGH:!DH:!ADH:!MD5:!RC4:!aNULL:!eNULL:!LOW:!3DES:!EXP:!PSK:!SRP:!DSS" 

This will make it almost "good", but not "extraordinary secure" (you have to know that SLES11 still has openssl0.9.8, which is a very big limitation).

Here are the test results after applying these:

 Testing protocols via sockets except SPDY+HTTP2
-----------------------------------------------------
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    not offered
 TLS 1.2    not offered
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher categories
-----------------------------------------------------
 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
 Triple DES Ciphers (Medium)                   not offered (OK)
 High encryption (AES+Camellia, no AEAD)       offered (OK)
 Strong encryption (AEAD ciphers)              not offered

 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
----------------------------------------------------------------------------------------------------------
 PFS is offered (OK)          ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA
 Elliptic curves offered:     prime256v1

 Testing server preferences
-----------------------------------------------------
 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1
 Negotiated cipher            ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA AES256-SHA AES128-SHA

[some parts are cut]

 Testing vulnerabilities
----------------------------------------------------------------------------------------------------------
 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/rudder" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention NOT supported
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=[...] could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA AES256-SHA
                                                 AES128-SHA
                                           VULNERABLE -- and no higher protocols as mitigation supported
 LUCKY13 (CVE-2013-0169)                   VULNERABLE, uses cipher block chaining (CBC) ciphers
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

 Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
----------------------------------------------------------------------------------------------------------

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

 Running client simulations via sockets
-----------------------------------------------------
 Android 2.3.7                TLSv1.0 AES128-SHA
 Android 4.1.1                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 4.2.2                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 4.4.2                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 6.0                  TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Baidu Jan 2015               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Chrome 51 Win 7              TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Edge 13 Win 10               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Edge 13 Win Phone 10         TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Firefox 49 Win 7             TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Firefox 49 XP SP3            TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win 7                  TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1 Update   TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 6 XP                      No connection
 IE 7 Vista                   TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 8 Win 7                   TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 8 XP                      No connection
 Java 6u45                    TLSv1.0 AES128-SHA
 Java 7u25                    TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8b132                   TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 OpenSSL 1.0.1l               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 5.1.9 OS X 10.6.8     TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 6.0.4 OS X 10.8.4     TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 7 OS X 10.9           TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 8 OS X 10.10          TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 9 iOS 9               TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 9 OS X 10.11          TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 10 OS X 10.12         TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Apple ATS 9 iOS 9            No connection
 Tor 17.0.9 Win 7             TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)


Subtasks

User story #13990: Require TLS 1.2 for CFEngine communicationIn progressAlexis MOUSSET

History

#1 Updated by François ARMAND over 1 year ago

Thanks, this is very much appreciated. Benoit, would it be possible to use these configuration as a default in Rudder ?

#2 Updated by François ARMAND over 1 year ago

This should at minima be documented so that people can actually find these very valuable information.

#3 Updated by Janos Mattyasovszky over 1 year ago

How about creating an additional RPM for SLES11, which could be installed additionally for hardening?

Maybe called rudder-server-hardening-web, that could drop in an additional file in /opt/rudder/etc/rudder-apache-hardening-ssl.conf ?

#4 Updated by Benoît PECCATTE about 1 year ago

  • Target version set to Ideas (not version specific)

#5 Updated by Alexis MOUSSET 4 months ago

  • Subject changed from Hardening TLS on SLES11 to Hardening TLS
  • Target version changed from Ideas (not version specific) to 5.1.0~alpha1

Let's target 5.1 we need to change:

  • Apache configuration
  • CFEngine configuration

I think we can target TLS 1.2 with modern ciphers almost everywhere as we embed openssl/curl on old agents.

Also available in: Atom PDF