Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] elimindate Cipher Suites sorted by strength; 40
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Mon Apr 28, 2014 5:18 pm    Post subject: [SOLVED] elimindate Cipher Suites sorted by strength; 40 Reply with quote

From
https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca
I'm getting:
Code:
Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK      40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK      40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK      40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK      40
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK      56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK      56


So I'm getting "C" mark.
How to eliminate 40 bit key support?

And how to fix:
Quote:
The server does not support Forward Secrecy with the reference browsers

_________________
#Thelma


Last edited by Joseph_sys on Sun Jun 22, 2014 3:33 am; edited 1 time in total
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Sat Jun 21, 2014 8:24 pm    Post subject: Re: elimindate Cipher Suites sorted by strength; 40 Reply with quote

Joseph_sys wrote:
From
https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca
I'm getting:
Code:
Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK      40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK      40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK      40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK      40
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK      56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK      56


So I'm getting "C" mark.
How to eliminate 40 bit key support?

And how to fix:
Quote:
The server does not support Forward Secrecy with the reference browsers


To get an A+ rating on this Site 8), look at my posting: https://forums.gentoo.org/viewtopic-t-990050.html
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Sat Jun 21, 2014 10:31 pm    Post subject: Re: elimindate Cipher Suites sorted by strength; 40 Reply with quote

Duncan Mac Leod wrote:


To get an A+ rating on this Site 8), look at my posting: https://forums.gentoo.org/viewtopic-t-990050.html


Thanks, where do I insert the blow code:
Code:
SSLProtocol all -SSLv2 -SSLv3

SSLCompression Off

SSLHonorCipherOrder On

SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


Now I'm getting an "F" mark :-/
This server supports anonymous (insecure) suites (see below for details). Grade set to F.
Code:
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE      128
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE      128
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE         112   
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE      256

_________________
#Thelma
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Sat Jun 21, 2014 10:43 pm    Post subject: Re: elimindate Cipher Suites sorted by strength; 40 Reply with quote

Insert my Config-lines in: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf

I am running apache-2.2.27 and got an A+ rating. Don't know what your configs look like... - sorry!

Check your config for duplicate lines like 'SSLCipherSuite' !!
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Sun Jun 22, 2014 1:07 am    Post subject: Re: elimindate Cipher Suites sorted by strength; 40 Reply with quote

Duncan Mac Leod wrote:
Insert my Config-lines in: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf

I am running apache-2.2.27 and got an A+ rating. Don't know what your configs look like... - sorry!

Check your config for duplicate lines like 'SSLCipherSuite' !!


I was getting "A-" from ssl lab:
https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca
with this code before upgrading apache two months ago:
Code:
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT


Now with apache-2.2.27 I get "C" because of weak Cipher Strength inclusion:
Code:
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK      40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK      40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK      40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK      40
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK      56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK      56


How to eliminate it? I've tried your setting doesn't help:
Code:
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

_________________
#Thelma
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Sun Jun 22, 2014 3:32 am    Post subject: Reply with quote

I got "A" grade :-)
with in httpd.conf
Code:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:EECDH:-RC4:EDH:-CAMELLIA:-SEED:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"


Code:
Certificate  100
Protocol Support 95
Key Exchange 80
Cipher Strength 90

_________________
#Thelma
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Sun Jun 22, 2014 4:43 am    Post subject: Reply with quote

I got an "A" but I'm still getting some errors from SSL Lab:
Code:
Handshake Simulation
IE 6 / XP   No FS 1     No SNI 2      Protocol or cipher suite mismatch    Fail3
IE 8 / XP   No FS 1     No SNI 2      Protocol or cipher suite mismatch    Fail3
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version

_________________
#Thelma
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 402
Location: Somewhere in Denmark

PostPosted: Sun Jun 22, 2014 6:38 am    Post subject: Reply with quote

I get A+ with:
Code:
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS

Gives me:
Code:
Protocol Support 95
Key Exchange 100
Cipher Strength 90


It fails handshake simulation for IE6/XP and Java6u45 - not clients I'm interested in serving anyway ;)

Apache 2.4.9-r3 + OpenSSL 1.0.1h-r1 both from portage
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2571
Location: Edmonton, AB

PostPosted: Sun Jun 22, 2014 4:28 pm    Post subject: Reply with quote

freke wrote:
I get A+ with:
Code:
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS

Gives me:
Code:
Protocol Support 95
Key Exchange 100
Cipher Strength 90


It fails handshake simulation for IE6/XP and Java6u45 - not clients I'm interested in serving anyway ;)

Apache 2.4.9-r3 + OpenSSL 1.0.1h-r1 both from portage


Which file do you keep these setting in?
When I put them in 00_default_ssl_vhost.conf I get "C" rating, it means something is not getting activated.
So I put them in "httpd.conf" and I get "A+" as well.

How do you get key exchange 100? With your setting I only get key echange 80
Quote:
Certificate 100
Protocol Support 95
Key Exchange 80
Cipher Strength 90


In addition you forgot to mention that in order to get "A+" one need to have in vhosts.conf
under:
Code:
NameVirtualHost *:443
...
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
...

_________________
#Thelma
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Sun Jun 22, 2014 4:40 pm    Post subject: Reply with quote

AFAIK you cannot get A+ on https://www.ssllabs.com/ssltest/index.html with all 4 (Certificate, Protocol Support, Key Exchange and Cipher Strength) set to 100% ...
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 402
Location: Somewhere in Denmark

PostPosted: Mon Jun 23, 2014 4:47 am    Post subject: Reply with quote

I only remember modifying 00_default_ssl_vhost.conf:
Code:
Listen 443
SSLStaplingCache shmcb:/var/log/apache/ssl_gcache_data(512000)
..
<VirtualHost _default_:443>
..
 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
 SSLEngine on
 SSLProtocol ALL -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
 SSLUseStapling on
 SSLCompression off
..
</VirtualHost>


On further investigating my system I see that SSLCompression is off by default (in /etc/apache/modules.d/40_mod_ssl.conf)
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Fri Jun 27, 2014 4:48 am    Post subject: Reply with quote

Just to add my 2¢:

On servers where I don't care about winxp, I use "TLSv1.2+HIGH+kEECDH:TLSv1.2+HIGH+kEDH:!AES128:!aNULL:!eNULL" along with disabling SSLv2/3, which is kind of overkill but (hopefully) very safe. It gets me a theoretical A rating on that test (would be A+ except I'd need to screw with DH params and I don't know what I'm doing there).

For places where I need a bit more compatibility (specifically because some lameness in the TLS stack on my android phone prevents me accessing my own IM account) I use "TLSv1.2+HIGH+kEECDH:TLSv1.2+HIGH+kEDH:TLSv1+HIGH:!AES128:!3DES:!CAMELLIA:!aNULL"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum