| Author |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
 Posted: Mon 05 Aug '13 18:36 Post subject: |
 |
|
I miss the
 |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sun 15 Sep '13 21:46 Post subject: |
|
|
Ivan has tweaked the suite configuration string to position SHA256 and SHA384 suites (which are TLS 1.2-only) after GCM suites and before RC4 suites.
See the above blog post from Ivan.
Steffen |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Mon 16 Sep '13 12:43 Post subject: |
|
|
Looks like Forward Security is impossible for IE7 & 8 on XP.
It's nice to see this on the test
BEAST attack: No longer rated; considered sufficiently mitigated client-side (more info)
sufficiently means a few visitors will still be vulnerable (IE6[who cares], some Apples) so if you again allow the TLS/1.0 CBC cyphers, you will not get hit with a B rating. Qualy's themselves are still using RC4, yet (reading comments in various articles there) they may be changing that soon.
So it looks like we can finally drop RC4 which then allows 256 encryption again. Of course, not allowing SSLv3 you've lost support for IE6 all together, but who cares.
Firefox 23 has TLS/1.1 support supposedly (experimental), but I couldn't get it to connect when I set -TLS/1.0 on the server. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Mon 16 Sep '13 15:29 Post subject: |
|
|
Thanks for the info and another thing to check.
We use one apache as reverse proxy for multiple sites (exchange, alfresco collaboration system, qlikview server).
Since folks from NSA are messing around we have strengthened our ssl/TLS protocols and found a good configuration solving most of the problems (no weak RC4, but a robust forward secrecy).
| Code: | SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS |
But one thing we didn't get fixed, we could not use an additional 4096 bit dh parameter, although there should be an option of using a SSLDHParametersFile.
After some searching we found that there is a missing patch.
Have a look at
https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
JR
p.s. IE6/XP and IE8/XP is not working with this configuration, but who cares! This configuration gets an A grade at the SSL test lab test ( v1.6.7 ) with 95% protocol support, 80% key exchange (because of the poor 1024 Diffie-Hellman) and 100% cipher strength.
Last edited by jraute on Mon 26 Jan '15 15:37; edited 11 times in total |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 18 Sep '13 18:35 Post subject: |
|
|
| With that config + SSLCompression Off the SSL test seems to be very nice + the benefit of 256 bit encryption. Since IE 8-10 / Win 7 still needs TLS 1.0 I can't disable that :-/ |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Thu 19 Sep '13 9:26 Post subject: |
|
|
At the moment it is pest or cholera.
TLS 1.0 without the weak RC4 makes a system not mitigate BEAST server-side.
TLS 1.0 with RC4 makes a system use a weak RC4, but mitigates BEAST.
Without TLS 1.0 you loose support for too many browsers which don't support TLS 1.1 or higher.
So what to do?
Hello Browser developers, look at that! |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Thu 19 Sep '13 11:36 Post subject: |
|
|
Yes, i did.
That was the reason why i wrote "...pest or cholera...".
And for us it was the reason to disable RC4 and to live with the potential risk of MITM attacks as long as TLS 1.0 has to be enabled for compatibility reasons.
Did i miss an aspect?
Jraute |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 19 Sep '13 12:42 Post subject: |
|
|
From that Link you posted Steffen (epilog)
| Quote: |
Although I don't believe that the problem is exploitable today, there might be other attack vectors we are not aware of.
|
Since for most of my sites a man in the middle attack doesn't seem to be an option. They would need my ssl key. Using 256 bit AES seems to better.
The SSL test lab test (https://www.ssllabs.com/ssltest/index.html) Gives me an A (http://img3.picload.org/image/olggaio/ssl_test.png) |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Fri 04 Oct '13 21:12 Post subject: Patch available |
|
|
Ok, thanks to all who helped.
The patch is available!
https://people.apache.org/~kbrand/mod_ssl-2.4.x-ekh.diff
This helps to improve "dh-keys" (parameter sets) from 1024 bit up to 4096 bit or more.
And if i got it right, while flying over the blog, it will be included in 2.4.7.
JR |
|
| Back to top |
|
