Syndicate
Site (RSS, Atom)
Contact
Weblog status
Total entries: 78
Last entry: 2022-10-16 13:52:24
Last updated: 2022-10-16 14:12:58
powered by vim, bash, cat, grep, sed, and nb 3.4.2

2014-10-09 12:41:47

OpenSSL cipher suite for forward secrecy

As already written in the blog entry "Script to test supported ssl ciphers" many things have happened since the NSA spying scandal started in 2013. Many articles have been written since then about cryptography and forward secrecy and OpenSSL and securing servers (i.e. web and mail). This is my approach and recommendation for a well balanced OpenSSL cipher suite as of October 2014.

I've made many tests with different OS (RHEL / Centos 5 to 7, MacOS and more) and the online server check of Qualys SSL Labs (thank you for this tool, guys!). This is the list of my criteria (with light explanations):

  • use ordered list with custom order following all of these criteria
  • use only ephemeral ciphers to provide forward secrecy
  • disable weak ciphers and ciphers to be known vulnerable
  • prefer ciphers with GCM to prevent some attacks
  • prefer AES128 over AES256 due to possible timing attacks and compatibility
  • prefer elliptic curve ciphers due to better performance
  • don't allow anonymous ciphers like ADH
  • remaining and not preferred ciphers should be appended to the list of preferred ciphers

For better readability I broke my list up into lines, here it is:

$ echo '
> ECDHE-ECDSA-AES128-GCM-SHA256
> ECDHE-ECDSA-AES256-GCM-SHA384
> ECDHE-RSA-AES128-GCM-SHA256
> ECDHE-RSA-AES256-GCM-SHA384
> DHE-RSA-AES128-GCM-SHA256
> DHE-RSA-AES256-GCM-SHA384
> ECDHE-ECDSA-AES128-SHA256
> ECDHE-ECDSA-AES256-SHA384
> ECDHE-RSA-AES128-SHA256
> ECDHE-RSA-AES256-SHA384
> DHE-RSA-AES128-SHA256
> DHE-RSA-AES256-SHA256
> ECDHE-ECDSA-AES128-SHA
> ECDHE-RSA-AES128-SHA
> ECDHE-ECDSA-AES256-SHA
> ECDHE-RSA-AES256-SHA
> DHE-RSA-AES128-SHA
> DHE-RSA-AES256-SHA
> ALL
> !aNULL
> !ADH
> !3DES
> !EXP
> !RC4
> !kRSA
> !kKRB5
> !aDSS
> !DES
> !aPSK
> !kECDH
> '|tr \\n ':'|xargs openssl ciphers -v
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH ...
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH ...
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH ...
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH ...
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH ...
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH ...
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH ...
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH ...
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH ...
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH ...
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH ...
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH ...
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH ...
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH ...
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH ...
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH ...
DHE-RSA-AES128-SHA      SSLv3 Kx=DH ...
DHE-RSA-AES256-SHA      SSLv3 Kx=DH ...
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH ...
DHE-RSA-SEED-SHA        SSLv3 Kx=DH ...
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH ...

Due to preferring GCM ciphers and AES128 over AES256 you will get an GCM cipher when using "IE 11 / Win 8.1" as shown by the SSL labs tool: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256. With the widely used recommendation of Ristic as explained by Heise et al. you'll get "only" TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 which is vulnerable to the Lucky 13 attack - which is in fact very unlikely to be happen.

This cipher suite can be used on OS using OpenSSL 0.98 (i.e. RHEL / Centos 5) and also on OS with newer versions of OpenSSL (i.e. RHEL / Centos 6 and 7). To include it into your ssl.conf just insert ssl.conf.txt.

Deutsche Zusammenfassung: Die oben gezeigt Cipher Suite entstand nach folgenden Kriterien:

  • Liste sortiert nach diesen Kriterien
  • nur "ephemeral" Ciphers für PFS (Perfect Forward Secrey)
  • keine schwachen / verwundbaren Ciphers
  • Ciphers mit GCM (Galois / Counter Mode) bevorzugen
  • AES128 gegenüber AES256 wegen möglicher Timing-Angriffe und wegen Kompatibilität bevorzugen
  • Ciphers mit elliptischen Kurven (EC) wegen Performance bevorzugen
  • keine anonymen Ciphers wie ADH
  • restliche und nicht bevorzugte Ciphers werden an das Ende der Liste gehängt

Mit dieser Liste (einfügen in Apache ssl.conf) ist auch im Gegensatz zur Empfehlung von Ristic (siehe Heise) mit "IE 11 / Win 8.1" eine GCM-Cipher möglich.


Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, openssl, http, apache