Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Art And Science Of Configuring SSL #appsecapac2014

OWASP Japan
March 19, 2014
270

The Art And Science Of Configuring SSL #appsecapac2014

OWASP Japan

March 19, 2014
Tweet

Transcript

  1. Context! • This talk is for web-application security for commerce.

    • If you are hosting content that makes governments or police angry, you are at the wrong talk.
  2. Context! • I will use examples for Apache / OpenSSL

    • However this all applies to nginx / OpenSSL • And very likely applies to GnuTLS users • Sorry, I'm not familiar with Java and SSL
  3. What's the Goal for Today? • Allow you to understand

    
 what you are doing right now. • How to change your SSL settings safely • How to get a minimal understanding of cipher suite selection • How to monitor your site, so SSL surprises don't happen.
  4. For More Details • Ivan Ristic is The SSL Expert.

    • https://www.ssllabs.com/ • http://blog.ivanristic.com/ • And buy his new book! 
 https://www.feistyduck.com/

  5. SSL Configuration • Essential part of your system's security •

    It should be standardised, and should be boring • But, yet, it's really confusing!
  6. The Art • Only you know your system • Only

    you know your audience and customers • Only you know your threats • There are many ways to be 'secure'
  7. #1 Most Important Thing • Update your OS to latest

    patch level • If you are using Apache 1.3 - stop,
 and just focus on getting up to date
 with Apache 2.2 or 2.4
 (same with nginx users — get up to date) • This will update your OpenSSL library, fixing numerous problems
  8. Unless you are an Expert.. • I do not recommend

    building your own Apache or OpenSSL • Too many things can go wrong. • Using latest patch from OS provider is likely better than what you can do.
  9. Just Doing An Update • Should not cause any performance

    problems. • It's possible but highly unlikely, CPU load might go up due to new ciphers being selected. If this happens, then add • SSLHonorCipherOrder on • SSLCipherSuite: AES-128:your-previous-values
  10. Add to Log File Apache • Add to your existing

    log or create a new one • Apache: Add the following to your CustomLog in • %{SSL_PROTOCOL}x %{SSL_CIPHER}x • http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
  11. Add HTTP Headers • This allows your application to log

    or decide. • Apache: use mod_header
 Header set X-SSL-Protocol %{SSL-Protocol}s
 Header set X-SSL-Cipher %{SSL-Cipher}s • NGINX: proxy_set_header X-SSL-Protocol $ssl_protocol; proxy_set_header X-SSL-Cipher $ssl_cipher;
  12. Analyse Protocol Usage • What percentage is using • SSL

    v2? - -hopefully 0 • SSL v3? — hopefully under 1% but look who is using. I'm seeing Yandex use it for their bots. • TLS v1.0, 1.1, 1.2? each is hopefully not 0
  13. Analyse Cipher Suites • After a day you'll have enough

    data • Analyse cipher suite usage, in particular look for olds one such as • Anything with 'RC4' • Anything with 'DES' • Hopefully nothing with MD2, MD4
  14. OpenSSL
 Cipher Suite Macros • It's likely your current configuration

    uses OpenSSL cipher suite macros. • Allows you to configure the set of cipher suites using set operations (union/intersection, add/ subtract, whitelist/blacklist) • Allows for a very compact representation what ciphers you allow. • Or do they?
  15. Do Not Use Them • They are hard to read

    • They hide your intentions • OpenSSL has made subtle changes in how they work from release to release. • Operating systems sometimes remove suites. • They are incomplete and/or undocumented. • Probably don't do what you think they do.
  16. Be Explicit • If there were thousands of ciphers suites,

    it might make sense. We do not. • Whitelist ciphers you want. • If its not on the list, they aren't used. • Makes clear what, and in what order what cipher suite you are using.
  17. Example SSLProtocol ALL -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH •

    Expands to over 70 cipher suites. • Many aren't useable for public websites • Breaks old Windows XP compatibility • Some have serious performance implications • The most preferred cipher is — 
 ECDHE-RSA-AES256-GCM-SHA384 - ouch
  18. Convert to Explicit List • DO THIS ON A PRODUCTION

    MACHINE. Results will be different depending on what version of OpenSSL is installed and your OS version • openssl ciphers "ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH" • 70 on my ubuntu box. • 9 on my mac laptop • (use 'openssl ciphers -v' to get more information)
  19. Delete everything not used • Delete everything that is not

    being used, based on your site analysis. • This is the CipherSuite you are really using. • It probably contains under 10 entries. • Maybe as low as 1 or 2!
 DES-CBC3-SHA:AES128-SHA
  20. Protocols • SSL v2 — Broken. Do not use.! •

    SSL v3 — Almost secure.. 
 might be ok to eliminate! • TLS 1.0 - "ok"! • TLS 1.1 - No known practical attacks! • TLS 1.2 — Best available; includes new ciphers
  21. AES is The Cipher • You can have a 'secure'

    website with exactly one cipher. • AES128-SHA • Just this will get you an "A" on SSLLabs 
 (with other settings being correct) • It is the defacto public web standard. • Hardware accelerated in recent Intel CPUs
  22. AES128 vs. AES256 bit keys • First, to my knowledge,

    there is no client that forces 256-bits keys and does not use 128-keys. • There is no evidence that AES256 is 'more secure' in practical terms than AES128. • 256 definitely is slower.
  23. RC4 (aka Arc4) • Likely broken. • RC5-MD5 may be

    used in old cell phones still. • Only your usage analysis can tell you if you should use it. • A replacement is coming but it's not ready yet (Cha-Cha stream cipher)
  24. DES • 1970s technology. • Yeah, sadly, some Windows XP

    installations do not support AES, cannot support RC4, and so can only use DES!
  25. Asymmetric Ciphers • RSA - The standard. If the key

    is compromised, an eavesdropper can decode all traffic and any traffic previously captured. • ECDHE — Works in a completely different way. The 'E' at the end is important. It means every connection gets a different key. Key compromise means old communication remains safe.
  26. Compression! • Compression is normally a good thing • Not

    in SSL • SSLCompression false (this the default)
  27. Add TLS v1.2 Enhancements ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA

    ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: These protect
 against surprises.
  28. Recommend Add Prefect Forward Secrecy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA

    ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Recommended but not required.! Needs an up-to-date OS and 
 version of OpenSSL
  29. Add 256-bit variations ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA

    ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Monitor to see who
 and how often
 256-bit ciphers 
 are actually used
  30. Add Legacy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA

    AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA And add other
 (secure) ciphers 
 you found in
 your analysis
  31. Bonus: Legacy PFS ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA

    ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA Very Very Optional
 please analyse you traffic 
 to see if this is worthwhile
  32. First Check Your Configuration With SSLLabs • It is always

    the most up-to-date resource • Fix any obvious problems (hopefully none) • Getting an A or A- should be easy
  33. OpenSSL Allows
 Silent Failure • OpenSSL allows spelling errors in

    Cipher Suites without warnings or errors • It only requires one valid cipher in your list for your web server to start! • You -must- check your explicit list against what is showing up in SSLLabs.
  34. What happens if a client tries to connect with a

    protocol or cipher 
 that you do not support?
  35. Things that can go wrong and cause silent failures •

    If you have multiple OpenSSL installations, Apache can link to wrong version • Source control problems (bad merge, reversion) • OS Upgrades that overwrite your custom configurations • People changing things.
  36. Introducing SSLAssert • SSL fact generation for your site •

    Run it every day • Ideally the output never changes • If it does…..
  37. $ export OPENSSL=/usr/local/Cellar/openssl/1.0.1e/bin/openssl $ ./sslassert.sh www.google.com openssl-command: /usr/local/Cellar/openssl/1.0.1e/bin/openssl openssl-target: https://www.google.com:443/

    openssl-version: 'OpenSSL 1.0.1e 11 Feb 2013' smoke-test: on certificate-checksum: 0562dbbd5fa60dad7a6ef8bb6a53b89d961ee84a certificate-common-name: www.google.com certificate-length: 2048 certificate-days-until-expiration: 72 certificate-chain-length: 3 certificate-chain-self-signed: off protocol-tls-v12: on protocol-tls-v12-default: ECDHE-RSA-AES128-GCM-SHA256 cipher-suite-AES128-GCM-SHA256: on cipher-suite-AES128-SHA256: on cipher-suite-AES256-GCM-SHA384: on cipher-suite-AES256-SHA256: on cipher-suite-ECDHE-RSA-AES128-GCM-SHA256: on cipher-suite-ECDHE-RSA-AES128-SHA256: on cipher-suite-ECDHE-RSA-AES256-GCM-SHA384: on cipher-suite-ECDHE-RSA-AES256-SHA384: on protocol-tls-v11: on protocol-tls-v11-default: ECDHE-RSA-AES128-SHA protocol-tls-v10: on protocol-tls-v10-default: ECDHE-RSA-RC4-SHA protocol-ssl-v3: on protocol-ssl-v3-default: ECDHE-RSA-RC4-SHA protocol-ssl-v2: off etc…
  38. On Github • https://github.com/client9/sslassert • in bash. • Ruby has

    really nice OpenSSL bindings. 
 Consider rewriting for your needs. • Please use as an example
  39. What Else Can You Test? • What else can you

    unit test? • Pages that must be SSL or require auth. • Certificate ID • DNS records? • Is your site on Google Safe Browsing blacklist? • All of these should never change, but if they do, you should know about it.
  40. Summary • Upgrade! • Monitor your customer's usage of SSL

    • Simplify your Configuration • Monitor your SSL configuration with SSLLabs and 
 your own sslassert - Unit Tests for Infrastructure. • Repeat every 6 months — put it in your calendar • Relax!