Actions
User story #11238
closed
Hardening TLS
User story #11238:
Hardening TLS
Pull Request:
UX impact:
Suggestion strength:
Advise - This would make Rudder significantly better | easier | simpler
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Name check:
Fix check:
Regression:
Description
On a default installation of apache on SLES11, the security settings are pretty "relaxed", resulting in a massively poor rudder GUI / API security level.
This gives you a rating when using testssl (quite handy script @ https://github.com/drwetter/testssl.sh):
Testing protocols via sockets except SPDY+HTTP2
-----------------------------------------------------
SSLv2 not offered (OK)
SSLv3 offered (NOT ok)
TLS 1 offered
TLS 1.1 not offered
TLS 1.2 not offered
SPDY/NPN not offered
HTTP2/ALPN not offered
Testing ~standard cipher categories
-----------------------------------------------------
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) offered (NOT ok)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) offered (NOT ok)
Triple DES Ciphers (Medium) offered
High encryption (AES+Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) not offered
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
----------------------------------------------------------------------------------------------------------
PFS is offered (OK) ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
Elliptic curves offered: prime256v1
Testing server preferences
-----------------------------------------------------
Has server cipher order? nope (NOT ok)
Negotiated protocol TLSv1
Negotiated cipher ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) (limited sense as client will pick)
Negotiated cipher per proto (limited sense as client will pick)
ECDHE-RSA-AES256-SHA: SSLv3, TLSv1
No further cipher order check has been done as order is determined by the client
Testing vulnerabilities
-----------------------------------------------------
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/rudder" tested
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention NOT supported
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=[...] could help you to find out
LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok): common prime mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus detected (1024 bits),
but no DH EXPORT ciphers
BEAST (CVE-2011-3389) SSL3: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA
CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA
AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA DES-CBC-SHA
TLS1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA
CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA
AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA DES-CBC-SHA
VULNERABLE -- and no higher protocols as mitigation supported
LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5
Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
----------------------------------------------------------------------------------------------------------
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x39 DHE-RSA-AES256-SHA DH 1024 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
x88 DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x33 DHE-RSA-AES128-SHA DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
x45 DHE-RSA-CAMELLIA128-SHA DH 1024 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
xc011 ECDHE-RSA-RC4-SHA ECDH 256 RC4 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
x16 EDH-RSA-DES-CBC3-SHA DH 1024 3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
x15 EDH-RSA-DES-CBC-SHA DH 1024 DES 56 TLS_DHE_RSA_WITH_DES_CBC_SHA
x09 DES-CBC-SHA RSA DES 56 TLS_RSA_WITH_DES_CBC_SHA
Running client simulations via sockets
-----------------------------------------------------
Android 2.3.7 TLSv1.0 RC4-MD5
Android 4.1.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 4.2.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 4.4.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 5.0.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 6.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 7.0 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
Baidu Jan 2015 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Chrome 51 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
Edge 13 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Edge 13 Win Phone 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Firefox 49 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
Firefox 49 XP SP3 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 TLSv1.0 AES128-SHA
IE 11 Win Phone 8.1 Update TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 6 XP SSLv3 RC4-MD5
IE 7 Vista TLSv1.0 AES128-SHA
IE 8 Win 7 TLSv1.0 AES128-SHA
IE 8 XP TLSv1.0 RC4-MD5
Java 6u45 TLSv1.0 RC4-MD5
Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
Java 8b132 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
OpenSSL 1.0.1l TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
OpenSSL 1.0.2e TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 5.1.9 OS X 10.6.8 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
Safari 6.0.4 OS X 10.8.4 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 7 OS X 10.9 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 8 OS X 10.10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 9 iOS 9 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 10 OS X 10.12 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 No connection
Tor 17.0.9 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Putting some effort in it, I think I have came up with a quite good set of settings for Rudder root/relay servers regarding SSL/TLS hardening:
SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "HIGH:!DH:!ADH:!MD5:!RC4:!aNULL:!eNULL:!LOW:!3DES:!EXP:!PSK:!SRP:!DSS"
This will make it almost "good", but not "extraordinary secure" (you have to know that SLES11 still has openssl0.9.8, which is a very big limitation).
Here are the test results after applying these:
Testing protocols via sockets except SPDY+HTTP2
-----------------------------------------------------
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 not offered
TLS 1.2 not offered
SPDY/NPN not offered
HTTP2/ALPN not offered
Testing ~standard cipher categories
-----------------------------------------------------
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) not offered
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
----------------------------------------------------------------------------------------------------------
PFS is offered (OK) ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA
Elliptic curves offered: prime256v1
Testing server preferences
-----------------------------------------------------
Has server cipher order? yes (OK)
Negotiated protocol TLSv1
Negotiated cipher ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Cipher order
TLSv1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA AES256-SHA AES128-SHA
[some parts are cut]
Testing vulnerabilities
----------------------------------------------------------------------------------------------------------
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/rudder" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention NOT supported
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=[...] could help you to find out
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA CAMELLIA128-SHA AES256-SHA
AES128-SHA
VULNERABLE -- and no higher protocols as mitigation supported
LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
----------------------------------------------------------------------------------------------------------
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
Running client simulations via sockets
-----------------------------------------------------
Android 2.3.7 TLSv1.0 AES128-SHA
Android 4.1.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 4.2.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 4.4.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 5.0.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 6.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 7.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Baidu Jan 2015 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Chrome 51 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Edge 13 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Edge 13 Win Phone 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Firefox 49 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Firefox 49 XP SP3 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 Update TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 6 XP No connection
IE 7 Vista TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
IE 8 XP No connection
Java 6u45 TLSv1.0 AES128-SHA
Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
Java 8b132 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
OpenSSL 1.0.1l TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
OpenSSL 1.0.2e TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 5.1.9 OS X 10.6.8 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 6.0.4 OS X 10.8.4 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 7 OS X 10.9 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 8 OS X 10.10 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 9 iOS 9 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Safari 10 OS X 10.12 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 No connection
Tor 17.0.9 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Updated by François ARMAND almost 9 years ago
Thanks, this is very much appreciated. Benoit, would it be possible to use these configuration as a default in Rudder ?
Updated by François ARMAND almost 9 years ago
This should at minima be documented so that people can actually find these very valuable information.
Updated by Janos Mattyasovszky almost 9 years ago
How about creating an additional RPM for SLES11, which could be installed additionally for hardening?
Maybe called rudder-server-hardening-web, that could drop in an additional file in /opt/rudder/etc/rudder-apache-hardening-ssl.conf ?
Updated by Benoît PECCATTE over 8 years ago
- Target version set to Ideas (not version specific)
Updated by Alexis Mousset over 7 years ago
- Subject changed from Hardening TLS on SLES11 to Hardening TLS
- Target version changed from Ideas (not version specific) to 6.0.0~beta1
Let's target 5.1 we need to change:
- Apache configuration
- CFEngine configuration
I think we can target TLS 1.2 with modern ciphers almost everywhere as we embed openssl/curl on old agents.
Updated by Alexis Mousset about 7 years ago
- Related to Architecture #14786: Force TLS1.2 communication between agent and server added
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 6.0.0~beta1 to 6.0.0
Updated by Alexis Mousset over 6 years ago
- Target version changed from 6.0.0 to Ideas (not version specific)
Updated by Alexis Mousset over 4 years ago
- Status changed from New to Resolved
Done for CFEngine which is now TLS 1.2+ with modern cipher, ans same for apache.
Actions