Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: [Solved] Excluding Elliptic Curves |
|
| Author |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
 Posted: Mon 04 Sep '17 10:36 Post subject: [Solved] Excluding Elliptic Curves |
 |
|
I am looking for a way to exclude a lot of elliptic curves from being exposed by Apache. Take a look at
tst.sessionportal.net has the needed ciphers to be compliant with PCI DSS, HIPAA and NIST, but is exposing too many Elliptic Curves
www.sessionportal.net has the same ciphers, but exposes only secp384r1. I did this by recompiling mod_ssl.so with only these lines, starting at line 1286 of ssl_engine_init.c
| Code: | #ifdef HAVE_ECC
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
EC_KEY_new_by_curve_name(NID_secp384r1));
/* OpenSSL assures us that _free() is NULL-safe */
EC_KEY_free(eckey);
EC_GROUP_free(ecparams);
#endif
|
It does not feel good to have to patch mod_ssl to be compliant with PCI DSS, HIPAA and NIST.
Is there a config-option that I am missing? Or a setting while generating the certificate? Remember: keeping the selected ciphers is required, but these curves should not be there:
| Code: | sect193r1 (193 bits) Non-compliant with HIPAA guidance
sect193r2 (193 bits) Non-compliant with HIPAA guidance
secp192k1 (192 bits) Non-compliant with HIPAA guidance
P-192 (prime192v1) (192 bits) Non-compliant with HIPAA guidance
K-163 (sect163k1) (163 bits) Non-compliant with HIPAA guidance
sect163r1 (162 bits) Non-compliant with HIPAA guidance
B-163 (sect163r2) (163 bits) Non-compliant with HIPAA guidance
secp160k1 (161 bits) Non-compliant with HIPAA guidance
secp160r1 (161 bits) Non-compliant with HIPAA guidance
secp160r2 (161 bits) Non-compliant with HIPAA guidance |
Last edited by Jan-E on Tue 05 Sep '17 12:29; edited 1 time in total |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Tue 05 Sep '17 12:28 Post subject: |
|
|
To answer my own question: Yes, I was missing a config option.
| Code: |
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1:sect239k1:sect233k1:sect233r1:secp224k1:secp224r1 |
Note: this should be a one-liner. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 31 Oct '17 18:45 Post subject: |
|
|
Isn't using SSLCipherSuite enough to use the ciphers that you need? I just would like to know. Getting smarter every day  |
|
| Back to top |
|
|
|
|
|
|
