4

I have this configuration

SSLCipherSuite AES128+EECDH:AES128+EDH
SSLProtocol All -SSLv2 -SSLv3

for Apache 2.4.6, OpenSLL 1.0.2a

and on SSLLab's SSLtest I get A,

it suggests (warns) that I have following ciphers enabled:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK       128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK       128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK      128

How can I disable them?

I tried 

SSLCipherSuite AES128+EECDH:AES128+EDH:!TLS_DHE_RSA_WITH_AES_128_CBC_SHA:!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

but this doesn't seem to stop supporting these ciphers, I am sure it is misconfigured, could anyone suggest about how to disable them?

Vilican
  • 129
  • 1
  • 21
user3833308
  • 141
  • 1
  • 2
  • Don't disable them. The ephemeral suites (DHE) provide perfect forward secrecy, and its a very desirable security property. GCM is a TLS 1.2 suite and it properly combines Encryption and Authentication (using Encrypt-then-Authenticate) so its almost laughable it is recommended for removal. (SSL/TLS has been doing the wrong thing for years, and POODLE was no surprise. It was fore-warned almost 15 years earlier, but the TLS Working Group decided not to act). Very related: [Trust Extortion on the Internet](http://folk.uio.no/josang/papers/Jos2011-STM.pdf). –  Apr 18 '15 at 21:57

3 Answers3

2

OpenSSL uses its own names for ciphers not the standard-defined TLS_this_with_that names, although they contain equivalent info. Those three TLS_DHE_RSA ciphers are enabled by the AES128+EDH term in your SSLCipherSuite, which also enables three corresponding TLS_DHE_DSS ciphers but ssllabs doesn't see those because your server doesn't have a DSS (aka DSA) key and certificate, presumably because you got your cert from a public CA and AFAICT no public CA issues DSS certs.

So you can just remove the AES128+EDH term.

Or you can make the DHE_RSA ciphers strong enough to please ssllabs by using a larger (2048-bit) DH group. Newer versions of Apache make this easier, and are probably better in general, but if you must stay on 2.4.6 the same fellow who does the ssllabs/Qualys test has some advice at http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html .

EDIT for comment information that EECDH+AES128 (i.e. ECDHE) doesn't allow connect at all:

It appears your httpd does not support ECDHE, which 2.4 should. Ristic says in Aug 2013 it was added to 2.3.3 https://community.qualys.com/thread/11796 and https://serverfault.com/a/569677/216633 says it is supported in 2.4 but not 2.2 (apparently it was backported later to 2.2.26). http://httpd.apache.org/docs/current/mod/mod_ssl.html describes improvements to both DH(E) and ECDH(E) parameters in 2.4.7, which strongly suggests that at least basic parameters were there before.

Are you possibly using a RedHat build? I know RedHat removed (all) elliptic-curve crypto from OpenSSL and GnuPG until late 2013 (which was before OpenSSL 1.0.2a) and I can imagine (but don't know) they may have also changed mod_ssl to omit the ECDH(E) parameters i.e. curve.

Community
  • 1
dave_thompson_085
  • 3,262
  • 1
  • 16
  • 16
  • Thank you, `AES128+EDH` removing this doesn't work, most of the browsers stops supporting the effective configuration after removing this, is there a way to allow this but take out TLS_DHE_RSA* from it ? – user3833308 Mar 24 '15 at 18:09
  • As I said AES128+EDH in OpenSSLese *is* that subset of TLS_DHE_RSA_* ciphers in standardese (plus the DSS equivalents which you can't use). I assumed that the AES128+EECDH term successfully enabled some **(should be three) TLS_ECDHE_RSA_** ciphers, but you didn't actually say the ssllabs report showed any such; did it? If so, reasonably recent browsers should work. – dave_thompson_085 Mar 25 '15 at 06:48
  • Thanks, with just `AES128+EECDH` ssllabs couldn't connect to app as well as the latest google chrome, httpd was running – user3833308 Mar 25 '15 at 17:18
  • @user3833308 see edit, too large for comment – dave_thompson_085 Mar 26 '15 at 05:48
2

I'm sure this won't get you all the way across the finish line, but without this I don't think you'll get an A+:

SSLHonorCipherOrder on

This keeps the browser's cipher order preferences from overriding what you've configured.

Justin Alan Ryan
  • 51
  • 3
0

It does not work beacuse you enter invalid ciphers. For example, this is incorrect, on line below it is correct:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

DHE-RSA-AES128-SHA

If you just want to get this work done, you can copy this:

SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES128-CBC-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:DHE-DSS-3DES-EDE-CBC-SHA:AES128-SHA:DES-CBC3-SHA:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
SSLHonorCipherOrder on

One more thing: if you disable this ciphers, you will not have forwad secrecy with all browsers. If you want to have full forward secrecy, I recommend updating Apache to 2.4.8 and using this:

openssl dhparam -out dhparams.pem 2048

Then add this to Apache:

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

You can find more information on this web: https://weakdh.org/sysadmin.html

By the way, A+ is awarded to sites with HSTS and tls_fallback_scsv.

Community
  • 1
Vilican
  • 129
  • 1
  • 21