Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Enable specific ciphers |
|
| Author |
|
Shrinidhi0409
Joined: 24 Sep 2021
Posts: 18
Location: India
|
 Posted: Tue 24 May '22 11:19 Post subject: Enable specific ciphers |
 |
|
Our java application is running smoothly on RHEL 8.5 OS platform. To improve the security, I want enable only few ciphers and need to block others.
CIPHERS TO BE ENABLED:
ChaCha20-Poly1305, AES-GCM, AES-CCM with key exchange of ECDHE, DHE, RSA.
NOTE : And all other ciphers are prohibited.
I have made the below changes in "ssl.conf" file.
SSLProtocol -ALL +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
But when I try to check the ciphers from server by using the "openssl s_client -connect <localhost>:443 -tls1_2", I can able to see only one cipher.
Please find the below snippet,
SSL-session:
Protocol:TLSv1.2
Cipher:ECDHE-ECDSA-CHACHA20-POLY1305
Can you please let us know about below queries,
1) Whether the above command (SSLCipherSuite) is correct or not?. If not please let me know the correct procedure. If it is correct, why other ciphers are not displayed?
2) Please let me know the command to verify the enabled ciphers in RHEL 8.5 server.
3) How to block other Ciphers other than the mentioned above?
Can you suggest the possible solutions ASAP
Regards,
Shrinidhi |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Wed 25 May '22 16:08 Post subject: |
|
|
When it connects, the s_client command shows the cipher suite used to achieve the connection. It won't list all the ciphers supported by the server. Moreover, if you don't specify "SSLHonorCipherOrder on" in your Apache configuration, the client's preferred cipher is chosen rather than the server's. You probably want the server in control.
In your SSLCipherSuite list, you've included ciphers with ECDSA authentication. ECDSA is an elliptic curve implementation of DSA, and since DSA keys are much shorter than RSA, I guess your client is choosing the ECDSA cipher over the RSA variant.
If you want to confirm your required list of ciphers is available, then simply add each required cipher to the openssl s_client command, and retest, e.g.
| Code: | openssl s_client -connect HOST:PORT -cipher ECDHE-RSA-CHACHA20-POLY1305
|
Equally, you can use the -sigalgs option to check a connection using a required algorithm, e.g.
| Code: | openssl s_client -connect HOST:PORT -sigalgs "ECDSA+SHA256"
|
Although it's a few years old now, the following site has a good write up explaining ciphers, algorithms and connection negotiation - https://www.thesslstore.com/blog/cipher-suites-algorithms-security-settings
This site may also be helpful - https://node-security.com/posts/openssl-testing-signature-algorithm |
|
| Back to top |
|
Shrinidhi0409
Joined: 24 Sep 2021
Posts: 18
Location: India
|
| Posted: Wed 01 Jun '22 12:05 Post subject: |
|
|
Hi,
Thank you for the response.I used below commands to check the enabled ciphers. please find the same and their respective result.
Command 1: nmap -sV --script ssl-enum-ciphers -p 8443 <IP_Address>
Result 1:Starting Nmap 7.70 ( https://nmap.org ) at 2022-05-31 14:25 IST
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for xxxxx (XX.XXX.XX.XXX)
Host is up (0.000066s latency).PORT STATE SERVICE VERSION
8443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
|_ least strength: AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds
Please find your command and the result,
Command 2: openssl s_client -connect HOST:PORT -cipher ECDHE-RSA-CHACHA20-POLY1305
Result 2:CONNECTED(00000003)
140416325527360:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 229 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
-----------------------------------------Please let me know why "CHACHA20-POLY1305" was not included in the "Result 1". Also the command 2 got failed.
And I tried to add "AES-CCM". But it is also not included in that list.Please let me know the workaround solution to enable only "AES-GCM, AES-CCM, CHACHA20-POLY1305". |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Fri 03 Jun '22 20:45 Post subject: |
|
|
Curious; your nmap command output lists just the one cipher (an RSA one), although your original SSLCipherSuite config lists two RSA and two ECDSA ciphers.
You cannot use ECDSA ciphers if you don't present an ECDSA certificate, so my guess is your site certificate is based on an RSA algorithm. On that basis, Apache isn't able to offer the ECDSA based ciphers you've asked for.
There are a few posts on the net about configuring Apache with both RSA and ECDSA certificates, but it's not something I've any experience with, nor whether there's some magic that can be used to support both.
Are you not able to choose either RSA or ECDSA, rather than both? |
|
| Back to top |
|
|
|
|
|
|
