The Art and Science of SSL Configuration

Transcript

1. The Art and Science of SSL Configuration Nick Galbreath! OWASP

   APAC 2014! Tokyo, Japan

2. Slides Are Online Now http://bit.ly/OaiFrf O = Oh 0 =

   zero

3. Who am I • Nick Galbreath (χοΫɹΨϧϒϨεʣ! • [email protected]! •

   @ngalbreath

4. Context When I say SSL 
 I mean
 SSL and/or

   TLS

5. Context! • This talk is for web-application security for commerce.

   • If you are hosting content that makes governments or police angry, you are at the wrong talk.

6. Context! • I will use examples for Apache / OpenSSL

   • However this all applies to nginx / OpenSSL • And very likely applies to GnuTLS users • Sorry, I'm not familiar with Java and SSL

7. What's the Goal for Today? • Allow you to understand

   
 what you are doing right now. • How to change your SSL settings safely • How to get a minimal understanding of cipher suite selection • How to monitor your site, so SSL surprises don't happen.

8. For More Details • Ivan Ristic is The SSL Expert.

   • https://www.ssllabs.com/ • http://blog.ivanristic.com/ • And buy his new book! 
 https://www.feistyduck.com/


9. The Art and Science of SSL Configuration?

10. SSL Configuration • Essential part of your system's security •

    It should be standardised, and should be boring • But, yet, it's really confusing!

11. The Science • Some things work • Some things do

    not

12. The Art • Only you know your system • Only

    you know your audience and customers • Only you know your threats • There are many ways to be 'secure'

13. Step 1: Get Up To Date

14. #1 Most Important Thing • Update your OS to latest

    patch level • If you are using Apache 1.3 - stop,
 and just focus on getting up to date
 with Apache 2.2 or 2.4
 (same with nginx users — get up to date) • This will update your OpenSSL library, fixing numerous problems

15. Unless you are an Expert.. • I do not recommend

    building your own Apache or OpenSSL • Too many things can go wrong. • Using latest patch from OS provider is likely better than what you can do.

16. Just Doing An Update • Should not cause any performance

    problems. • It's possible but highly unlikely, CPU load might go up due to new ciphers being selected. If this happens, then add • SSLHonorCipherOrder on • SSLCipherSuite: AES-128:your-previous-values

17. Step 2: Understanding what your actually doing

18. The Next Most Important Thing You Can Do Is Monitor

    Your Current SSL Usage

19. Add to Log File Apache • Add to your existing

    log or create a new one • Apache: Add the following to your CustomLog in • %{SSL_PROTOCOL}x %{SSL_CIPHER}x • http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

20. Add HTTP Headers • This allows your application to log

    or decide. • Apache: use mod_header
 Header set X-SSL-Protocol %{SSL-Protocol}s
 Header set X-SSL-Cipher %{SSL-Cipher}s • NGINX: proxy_set_header X-SSL-Protocol $ssl_protocol; proxy_set_header X-SSL-Cipher $ssl_cipher;

21. Analyse Protocol Usage • What percentage is using • SSL

    v2? - -hopefully 0 • SSL v3? — hopefully under 1% but look who is using. I'm seeing Yandex use it for their bots. • TLS v1.0, 1.1, 1.2? each is hopefully not 0

22. Analyse Cipher Suites • After a day you'll have enough

    data • Analyse cipher suite usage, in particular look for olds one such as • Anything with 'RC4' • Anything with 'DES' • Hopefully nothing with MD2, MD4

23. Step 3. Cleanup Configuration

24. OpenSSL
 Cipher Suite Macros • It's likely your current configuration

    uses OpenSSL cipher suite macros. • Allows you to configure the set of cipher suites using set operations (union/intersection, add/ subtract, whitelist/blacklist) • Allows for a very compact representation what ciphers you allow. • Or do they?

25. Do Not Use Them • They are hard to read

    • They hide your intentions • OpenSSL has made subtle changes in how they work from release to release. • Operating systems sometimes remove suites. • They are incomplete and/or undocumented. • Probably don't do what you think they do.

26. Be Explicit • If there were thousands of ciphers suites,

    it might make sense. We do not. • Whitelist ciphers you want. • If its not on the list, they aren't used. • Makes clear what, and in what order what cipher suite you are using.

27. Example SSLProtocol ALL -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH •

    Expands to over 70 cipher suites. • Many aren't useable for public websites • Breaks old Windows XP compatibility • Some have serious performance implications • The most preferred cipher is — 
 ECDHE-RSA-AES256-GCM-SHA384 - ouch

28. Convert to Explicit List • DO THIS ON A PRODUCTION

    MACHINE. Results will be different depending on what version of OpenSSL is installed and your OS version • openssl ciphers "ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH" • 70 on my ubuntu box. • 9 on my mac laptop • (use 'openssl ciphers -v' to get more information)

29. Delete everything not used • Delete everything that is not

    being used, based on your site analysis. • This is the CipherSuite you are really using. • It probably contains under 10 entries. • Maybe as low as 1 or 2!
 DES-CBC3-SHA:AES128-SHA

30. Step 3. The Art of SSL Configuration

31. Let's Get Updated • Protocols • Ciphers • Other Stuff

32. Protocols • SSL v2 — Broken. Do not use.! •

    SSL v3 — Almost secure.. 
 might be ok to eliminate! • TLS 1.0 - "ok"! • TLS 1.1 - No known practical attacks! • TLS 1.2 — Best available; includes new ciphers

33. AES is The Cipher • You can have a 'secure'

    website with exactly one cipher. • AES128-SHA • Just this will get you an "A" on SSLLabs 
 (with other settings being correct) • It is the defacto public web standard. • Hardware accelerated in recent Intel CPUs

34. AES128 vs. AES256 bit keys • First, to my knowledge,

    there is no client that forces 256-bits keys and does not use 128-keys. • There is no evidence that AES256 is 'more secure' in practical terms than AES128. • 256 definitely is slower.

35. RC4 (aka Arc4) • Likely broken. • RC5-MD5 may be

    used in old cell phones still. • Only your usage analysis can tell you if you should use it. • A replacement is coming but it's not ready yet (Cha-Cha stream cipher)

36. DES • 1970s technology. • Yeah, sadly, some Windows XP

    installations do not support AES, cannot support RC4, and so can only use DES!

37. Everything Else • Not required, unless you need to meet

    some country-specific regulation.

38. Asymmetric Ciphers • RSA - The standard. If the key

    is compromised, an eavesdropper can decode all traffic and any traffic previously captured. • ECDHE — Works in a completely different way. The 'E' at the end is important. It means every connection gets a different key. Key compromise means old communication remains safe.

39. Compression! • Compression is normally a good thing • Not

    in SSL • SSLCompression false (this the default)

40. Pulling it All Together

41. The Basics ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA

    AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA:

42. Add TLS v1.2 Enhancements ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA

    ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: These protect
 against surprises.

43. Recommend Add Prefect Forward Secrecy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA

    ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Recommended but not required.! Needs an up-to-date OS and 
 version of OpenSSL

44. Add 256-bit variations ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA

    ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Monitor to see who
 and how often
 256-bit ciphers 
 are actually used

45. Add Legacy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA

    AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA And add other
 (secure) ciphers 
 you found in
 your analysis

46. Bonus: Legacy PFS ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA

    ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA Very Very Optional
 please analyse you traffic 
 to see if this is worthwhile

47. There are other possible secure orderings and selections of cipher

    suites.

48. Step 4: Check what is really happening

49. First Check Your Configuration With SSLLabs • It is always

    the most up-to-date resource • Fix any obvious problems (hopefully none) • Getting an A or A- should be easy

50. OpenSSL Allows
 Silent Failure • OpenSSL allows spelling errors in

    Cipher Suites without warnings or errors • It only requires one valid cipher in your list for your web server to start! • You -must- check your explicit list against what is showing up in SSLLabs.

51. What happens if a client tries to connect with a

    protocol or cipher 
 that you do not support?

52. Client-Side

53. Server-Side Nothing in error log! Nothing in access log! !

54. Monitor Yourself

55. Now that you have a configuration you like, make sure

    it stays that way.

56. Things that can go wrong and cause silent failures •

    If you have multiple OpenSSL installations, Apache can link to wrong version • Source control problems (bad merge, reversion) • OS Upgrades that overwrite your custom configurations • People changing things.

57. Make Unit Tests for your Infrastructure!

58. Introducing SSLAssert • SSL fact generation for your site •

    Run it every day • Ideally the output never changes • If it does…..

59. $ export OPENSSL=/usr/local/Cellar/openssl/1.0.1e/bin/openssl $ ./sslassert.sh www.google.com openssl-command: /usr/local/Cellar/openssl/1.0.1e/bin/openssl openssl-target: https://www.google.com:443/

    openssl-version: 'OpenSSL 1.0.1e 11 Feb 2013' smoke-test: on certificate-checksum: 0562dbbd5fa60dad7a6ef8bb6a53b89d961ee84a certificate-common-name: www.google.com certificate-length: 2048 certificate-days-until-expiration: 72 certificate-chain-length: 3 certificate-chain-self-signed: off protocol-tls-v12: on protocol-tls-v12-default: ECDHE-RSA-AES128-GCM-SHA256 cipher-suite-AES128-GCM-SHA256: on cipher-suite-AES128-SHA256: on cipher-suite-AES256-GCM-SHA384: on cipher-suite-AES256-SHA256: on cipher-suite-ECDHE-RSA-AES128-GCM-SHA256: on cipher-suite-ECDHE-RSA-AES128-SHA256: on cipher-suite-ECDHE-RSA-AES256-GCM-SHA384: on cipher-suite-ECDHE-RSA-AES256-SHA384: on protocol-tls-v11: on protocol-tls-v11-default: ECDHE-RSA-AES128-SHA protocol-tls-v10: on protocol-tls-v10-default: ECDHE-RSA-RC4-SHA protocol-ssl-v3: on protocol-ssl-v3-default: ECDHE-RSA-RC4-SHA protocol-ssl-v2: off etc…

60. On Github • https://github.com/client9/sslassert • in bash. • Ruby has

    really nice OpenSSL bindings. 
 Consider rewriting for your needs. • Please use as an example

61. What Else Can You Test? • What else can you

    unit test? • Pages that must be SSL or require auth. • Certificate ID • DNS records? • Is your site on Google Safe Browsing blacklist? • All of these should never change, but if they do, you should know about it.

62. Summary • Upgrade! • Monitor your customer's usage of SSL

    • Simplify your Configuration • Monitor your SSL configuration with SSLLabs and 
 your own sslassert - Unit Tests for Infrastructure. • Repeat every 6 months — put it in your calendar • Relax!