Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Art and Science of SSL Configuration

The Art and Science of SSL Configuration

OWASP APAC 2014
Tokyo Japan

Nick Galbreath

March 19, 2014
Tweet

More Decks by Nick Galbreath

Other Decks in Technology

Transcript

  1. Context! • This talk is for web-application security for commerce.

    • If you are hosting content that makes governments or police angry, you are at the wrong talk.
  2. Context! • I will use examples for Apache / OpenSSL

    • However this all applies to nginx / OpenSSL • And very likely applies to GnuTLS users • Sorry, I'm not familiar with Java and SSL
  3. What's the Goal for Today? • Allow you to understand

    
 what you are doing right now. • How to change your SSL settings safely • How to get a minimal understanding of cipher suite selection • How to monitor your site, so SSL surprises don't happen.
  4. For More Details • Ivan Ristic is The SSL Expert.

    • https://www.ssllabs.com/ • http://blog.ivanristic.com/ • And buy his new book! 
 https://www.feistyduck.com/

  5. SSL Configuration • Essential part of your system's security •

    It should be standardised, and should be boring • But, yet, it's really confusing!
  6. The Art • Only you know your system • Only

    you know your audience and customers • Only you know your threats • There are many ways to be 'secure'
  7. #1 Most Important Thing • Update your OS to latest

    patch level • If you are using Apache 1.3 - stop,
 and just focus on getting up to date
 with Apache 2.2 or 2.4
 (same with nginx users — get up to date) • This will update your OpenSSL library, fixing numerous problems
  8. Unless you are an Expert.. • I do not recommend

    building your own Apache or OpenSSL • Too many things can go wrong. • Using latest patch from OS provider is likely better than what you can do.
  9. Just Doing An Update • Should not cause any performance

    problems. • It's possible but highly unlikely, CPU load might go up due to new ciphers being selected. If this happens, then add • SSLHonorCipherOrder on • SSLCipherSuite: AES-128:your-previous-values
  10. Add to Log File Apache • Add to your existing

    log or create a new one • Apache: Add the following to your CustomLog in • %{SSL_PROTOCOL}x %{SSL_CIPHER}x • http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
  11. Add HTTP Headers • This allows your application to log

    or decide. • Apache: use mod_header
 Header set X-SSL-Protocol %{SSL-Protocol}s
 Header set X-SSL-Cipher %{SSL-Cipher}s • NGINX: proxy_set_header X-SSL-Protocol $ssl_protocol; proxy_set_header X-SSL-Cipher $ssl_cipher;
  12. Analyse Protocol Usage • What percentage is using • SSL

    v2? - -hopefully 0 • SSL v3? — hopefully under 1% but look who is using. I'm seeing Yandex use it for their bots. • TLS v1.0, 1.1, 1.2? each is hopefully not 0
  13. Analyse Cipher Suites • After a day you'll have enough

    data • Analyse cipher suite usage, in particular look for olds one such as • Anything with 'RC4' • Anything with 'DES' • Hopefully nothing with MD2, MD4
  14. OpenSSL
 Cipher Suite Macros • It's likely your current configuration

    uses OpenSSL cipher suite macros. • Allows you to configure the set of cipher suites using set operations (union/intersection, add/ subtract, whitelist/blacklist) • Allows for a very compact representation what ciphers you allow. • Or do they?
  15. Do Not Use Them • They are hard to read

    • They hide your intentions • OpenSSL has made subtle changes in how they work from release to release. • Operating systems sometimes remove suites. • They are incomplete and/or undocumented. • Probably don't do what you think they do.
  16. Be Explicit • If there were thousands of ciphers suites,

    it might make sense. We do not. • Whitelist ciphers you want. • If its not on the list, they aren't used. • Makes clear what, and in what order what cipher suite you are using.
  17. Example SSLProtocol ALL -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH •

    Expands to over 70 cipher suites. • Many aren't useable for public websites • Breaks old Windows XP compatibility • Some have serious performance implications • The most preferred cipher is — 
 ECDHE-RSA-AES256-GCM-SHA384 - ouch
  18. Convert to Explicit List • DO THIS ON A PRODUCTION

    MACHINE. Results will be different depending on what version of OpenSSL is installed and your OS version • openssl ciphers "ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH" • 70 on my ubuntu box. • 9 on my mac laptop • (use 'openssl ciphers -v' to get more information)
  19. Delete everything not used • Delete everything that is not

    being used, based on your site analysis. • This is the CipherSuite you are really using. • It probably contains under 10 entries. • Maybe as low as 1 or 2!
 DES-CBC3-SHA:AES128-SHA
  20. Protocols • SSL v2 — Broken. Do not use.! •

    SSL v3 — Almost secure.. 
 might be ok to eliminate! • TLS 1.0 - "ok"! • TLS 1.1 - No known practical attacks! • TLS 1.2 — Best available; includes new ciphers
  21. AES is The Cipher • You can have a 'secure'

    website with exactly one cipher. • AES128-SHA • Just this will get you an "A" on SSLLabs 
 (with other settings being correct) • It is the defacto public web standard. • Hardware accelerated in recent Intel CPUs
  22. AES128 vs. AES256 bit keys • First, to my knowledge,

    there is no client that forces 256-bits keys and does not use 128-keys. • There is no evidence that AES256 is 'more secure' in practical terms than AES128. • 256 definitely is slower.
  23. RC4 (aka Arc4) • Likely broken. • RC5-MD5 may be

    used in old cell phones still. • Only your usage analysis can tell you if you should use it. • A replacement is coming but it's not ready yet (Cha-Cha stream cipher)
  24. DES • 1970s technology. • Yeah, sadly, some Windows XP

    installations do not support AES, cannot support RC4, and so can only use DES!
  25. Asymmetric Ciphers • RSA - The standard. If the key

    is compromised, an eavesdropper can decode all traffic and any traffic previously captured. • ECDHE — Works in a completely different way. The 'E' at the end is important. It means every connection gets a different key. Key compromise means old communication remains safe.
  26. Compression! • Compression is normally a good thing • Not

    in SSL • SSLCompression false (this the default)
  27. Add TLS v1.2 Enhancements ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA

    ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: These protect
 against surprises.
  28. Recommend Add Prefect Forward Secrecy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA

    ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Recommended but not required.! Needs an up-to-date OS and 
 version of OpenSSL
  29. Add 256-bit variations ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA

    ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Monitor to see who
 and how often
 256-bit ciphers 
 are actually used
  30. Add Legacy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA

    AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA And add other
 (secure) ciphers 
 you found in
 your analysis
  31. Bonus: Legacy PFS ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA

    ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA Very Very Optional
 please analyse you traffic 
 to see if this is worthwhile
  32. First Check Your Configuration With SSLLabs • It is always

    the most up-to-date resource • Fix any obvious problems (hopefully none) • Getting an A or A- should be easy
  33. OpenSSL Allows
 Silent Failure • OpenSSL allows spelling errors in

    Cipher Suites without warnings or errors • It only requires one valid cipher in your list for your web server to start! • You -must- check your explicit list against what is showing up in SSLLabs.
  34. What happens if a client tries to connect with a

    protocol or cipher 
 that you do not support?
  35. Things that can go wrong and cause silent failures •

    If you have multiple OpenSSL installations, Apache can link to wrong version • Source control problems (bad merge, reversion) • OS Upgrades that overwrite your custom configurations • People changing things.
  36. Introducing SSLAssert • SSL fact generation for your site •

    Run it every day • Ideally the output never changes • If it does…..
  37. $ export OPENSSL=/usr/local/Cellar/openssl/1.0.1e/bin/openssl $ ./sslassert.sh www.google.com openssl-command: /usr/local/Cellar/openssl/1.0.1e/bin/openssl openssl-target: https://www.google.com:443/

    openssl-version: 'OpenSSL 1.0.1e 11 Feb 2013' smoke-test: on certificate-checksum: 0562dbbd5fa60dad7a6ef8bb6a53b89d961ee84a certificate-common-name: www.google.com certificate-length: 2048 certificate-days-until-expiration: 72 certificate-chain-length: 3 certificate-chain-self-signed: off protocol-tls-v12: on protocol-tls-v12-default: ECDHE-RSA-AES128-GCM-SHA256 cipher-suite-AES128-GCM-SHA256: on cipher-suite-AES128-SHA256: on cipher-suite-AES256-GCM-SHA384: on cipher-suite-AES256-SHA256: on cipher-suite-ECDHE-RSA-AES128-GCM-SHA256: on cipher-suite-ECDHE-RSA-AES128-SHA256: on cipher-suite-ECDHE-RSA-AES256-GCM-SHA384: on cipher-suite-ECDHE-RSA-AES256-SHA384: on protocol-tls-v11: on protocol-tls-v11-default: ECDHE-RSA-AES128-SHA protocol-tls-v10: on protocol-tls-v10-default: ECDHE-RSA-RC4-SHA protocol-ssl-v3: on protocol-ssl-v3-default: ECDHE-RSA-RC4-SHA protocol-ssl-v2: off etc…
  38. On Github • https://github.com/client9/sslassert • in bash. • Ruby has

    really nice OpenSSL bindings. 
 Consider rewriting for your needs. • Please use as an example
  39. What Else Can You Test? • What else can you

    unit test? • Pages that must be SSL or require auth. • Certificate ID • DNS records? • Is your site on Google Safe Browsing blacklist? • All of these should never change, but if they do, you should know about it.
  40. Summary • Upgrade! • Monitor your customer's usage of SSL

    • Simplify your Configuration • Monitor your SSL configuration with SSLLabs and 
 your own sslassert - Unit Tests for Infrastructure. • Repeat every 6 months — put it in your calendar • Relax!