2

I have a site https://warsoftheheroes.eu/ which is hosted using Apache with SSL with Let's Encrypt certyficate. In Chrome/Chromium browser in developer tools -> security I see this message:

Obsolete Connection Settings

The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM).

and here is my Apache SSL configuration:

<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443

<VirtualHost _default_:443>
    ServerName localhost
    Include /etc/apache2/vhosts.d/default_vhost.include
    ErrorLog /var/log/apache2/ssl_error_log
    <IfModule log_config_module>
            TransferLog /var/log/apache2/ssl_access_log
    </IfModule>
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
    SSLHonorCipherOrder On
    SSLCertificateFile /home/wof/ssl/fullchain1.pem
    SSLCertificateKeyFile /home/wof/ssl/privkey1.pem
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/localhost/cgi-bin">
            SSLOptions +StdEnvVars
    </Directory>
    <IfModule setenvif_module>
            BrowserMatch ".*MSIE.*" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
    </IfModule>
    <IfModule log_config_module>
            CustomLog /var/log/apache2/ssl_request_log \
                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>

# vim: ts=4 filetype=apache

What should I change in this config file to get rid of this obsolete key exchange?

Bartosz Krzeszewski
  • 167
  • 2
  • 12
  • Your server does not appear to be selecting ECDHE based ciphersuites. What version of apache and openssl are you using? – Matt Caswell May 10 '17 at 15:33
  • 1
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww May 11 '17 at 02:20
  • 1
    When I was searching via google for some place to ask my question (apache, stackexchange) most of results pointed to stackoverflow. I was surprised but I went after majority. – Bartosz Krzeszewski May 11 '17 at 10:46
  • @Bartosz - Yeah, Stack Overflow is a dumping ground. Don't judge on-topic-ness by what you see from the past. – jww May 11 '17 at 14:31
  • Also see [New in Chrome 58](https://developers.google.com/web/updates/2017/04/nic58). Usually you can clear most of the report card problems with `SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2` and `SSLCipherSuite "HIGH:!aNULL:!kRSA:!MD5:!RC4"`. Also see [Disabled RC4 and Qualys still says I have it enabled](https://superuser.com/q/1160862/173513) on Super User. – jww May 11 '17 at 23:34

2 Answers2

2

According to the SSLLabs test your site does not support any ECDHE ciphers, even if it looks like that you have configured these ciphers in your server configuration. Since TLS 1.2 support (which you have) and ECDHE support (which you don't have) got both added within OpenSSL 1.0.1 my guess is that you have a version of OpenSSL which is compiled without support for ECC (and thus ECDHE).

As far as I know older versions of RHEL (and thus CentOS too) and Fedora got shipped with ECC support removed for patent reasons so you might check if you are using one of the affected systems. The output of openssl ciphers -V gives you which ciphers are supported and you should check if ECDHE is supported there.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
1

Sorry for my mistake earlier. Mixed some things up.

This is how to see what ciphers are supported on a server and in what order they are preferred:

nmap --script ssl-enum-ciphers -p 443 warsoftheheroes.eu

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-10 17:23 CEST
Nmap scan report for warsoftheheroes.eu (81.163.204.80)
Host is up (0.051s latency).
rDNS record for 81.163.204.80: pppoe-static-a-80.interblock.pl
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

As you can see, the third option for TLSv1.2 is TLS_RSA_WITH_AES_128_GCM_SHA256 which is part of 'AES128' that you have enabled in your configuration.

Steffen Ullrich is probably right about the missing ECDHE support, which is probably why the cipher with RSA Key Exchange is at third position. I think the ECDHE ciphers would be preferred if they were supported.

kas
  • 11
  • 4
  • 2
    *"So in your case RSA is preferred as key exchange method."* - this is wrong. The first entries like `ECDHE-RSA-AES128-GCM-SHA256` use RSA for authentication but ECDHE for key exchange. See `openssl ciphers -V` which shows you the authentication (Au=...) and the key exchange (Kx=...). – Steffen Ullrich May 10 '17 at 15:16
  • Yes, I removed all RSA entries from SSLCipherSuite and nothing changed, message is still there – Bartosz Krzeszewski May 10 '17 at 15:19