Tuesday, 6 October 2009

Apache SSL/TLS security configuration

Recent installation of a new vulnerability scanner at the University has hilighted that a default-configured Apache supports SSL v2 which reportedly suffers from several cryptographic flaws and has been deprecated for several years, and supports the use of SSL ciphers that are very week by today's standards.

The danger of dropping support for particular protocols and ciphers is that doing so denies access to any clients that don't support anything else. Ideally you should review your Apache configuration in the light of your security needs and the capabilities of your clients, which obviously only you will know. Failing that, I've reviewed a sample of the logs the the University's Raven server to see what its clients are actually using. This should represent general University client capabilities. Only 17 out of over 3,500,000 connections used SSLv2, all of which looked to be from robots or similar; only 68 of these 3,500,000 connections used ciphers with symmetric key lengths of 56 bits or below.

My conclusion is that, for general use, adding the following to your Apache configuration will provide a reasonable level of security while excluding few if any legitimate vistors:
SSLProtocol All -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
When compared to the Apache default this a) drops SSLv2 while leaving everything else (including future developments); and b) drops the export-crippled ciphers, those using 64 or 56 bit encryption algorithms, and the SSLv2-only ones (since we've dropped SSLv2). Exactly what this will leave you depends on the version of OpenSSL you are using, but you can find out from the openssl command-line utility:
openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP'
On my Ubuntu 8.04 box this leaves
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
According to NIST Special Publication 800-57, symmetric keys of at least 112 bits should be generally OK until 2030. Note however that this only applies when used in conjunction with certificates containing asymmetric keys of at least 2040 bits, so it would also be advisable to upgrade any certificates using smaller keys.