Slide 1

Slide 1 text

The Art and Science of SSL Configuration Nick Galbreath! OWASP APAC 2014! Tokyo, Japan

Slide 2

Slide 2 text

Slides Are Online Now http://bit.ly/OaiFrf O = Oh 0 = zero

Slide 3

Slide 3 text

Who am I • Nick Galbreath (χοΫɹΨϧϒϨεʣ! • [email protected]! • @ngalbreath

Slide 4

Slide 4 text

Context When I say SSL 
 I mean
 SSL and/or TLS

Slide 5

Slide 5 text

Context! • This talk is for web-application security for commerce. • If you are hosting content that makes governments or police angry, you are at the wrong talk.

Slide 6

Slide 6 text

Context! • I will use examples for Apache / OpenSSL • However this all applies to nginx / OpenSSL • And very likely applies to GnuTLS users • Sorry, I'm not familiar with Java and SSL

Slide 7

Slide 7 text

What's the Goal for Today? • Allow you to understand 
 what you are doing right now. • How to change your SSL settings safely • How to get a minimal understanding of cipher suite selection • How to monitor your site, so SSL surprises don't happen.

Slide 8

Slide 8 text

For More Details • Ivan Ristic is The SSL Expert. • https://www.ssllabs.com/ • http://blog.ivanristic.com/ • And buy his new book! 
 https://www.feistyduck.com/


Slide 9

Slide 9 text

The Art and Science of SSL Configuration?

Slide 10

Slide 10 text

SSL Configuration • Essential part of your system's security • It should be standardised, and should be boring • But, yet, it's really confusing!

Slide 11

Slide 11 text

The Science • Some things work • Some things do not

Slide 12

Slide 12 text

The Art • Only you know your system • Only you know your audience and customers • Only you know your threats • There are many ways to be 'secure'

Slide 13

Slide 13 text

Step 1: Get Up To Date

Slide 14

Slide 14 text

#1 Most Important Thing • Update your OS to latest patch level • If you are using Apache 1.3 - stop,
 and just focus on getting up to date
 with Apache 2.2 or 2.4
 (same with nginx users — get up to date) • This will update your OpenSSL library, fixing numerous problems

Slide 15

Slide 15 text

Unless you are an Expert.. • I do not recommend building your own Apache or OpenSSL • Too many things can go wrong. • Using latest patch from OS provider is likely better than what you can do.

Slide 16

Slide 16 text

Just Doing An Update • Should not cause any performance problems. • It's possible but highly unlikely, CPU load might go up due to new ciphers being selected. If this happens, then add • SSLHonorCipherOrder on • SSLCipherSuite: AES-128:your-previous-values

Slide 17

Slide 17 text

Step 2: Understanding what your actually doing

Slide 18

Slide 18 text

The Next Most Important Thing You Can Do Is Monitor Your Current SSL Usage

Slide 19

Slide 19 text

Add to Log File Apache • Add to your existing log or create a new one • Apache: Add the following to your CustomLog in • %{SSL_PROTOCOL}x %{SSL_CIPHER}x • http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

Slide 20

Slide 20 text

Add HTTP Headers • This allows your application to log or decide. • Apache: use mod_header
 Header set X-SSL-Protocol %{SSL-Protocol}s
 Header set X-SSL-Cipher %{SSL-Cipher}s • NGINX: proxy_set_header X-SSL-Protocol $ssl_protocol; proxy_set_header X-SSL-Cipher $ssl_cipher;

Slide 21

Slide 21 text

Analyse Protocol Usage • What percentage is using • SSL v2? - -hopefully 0 • SSL v3? — hopefully under 1% but look who is using. I'm seeing Yandex use it for their bots. • TLS v1.0, 1.1, 1.2? each is hopefully not 0

Slide 22

Slide 22 text

Analyse Cipher Suites • After a day you'll have enough data • Analyse cipher suite usage, in particular look for olds one such as • Anything with 'RC4' • Anything with 'DES' • Hopefully nothing with MD2, MD4

Slide 23

Slide 23 text

Step 3. Cleanup Configuration

Slide 24

Slide 24 text

OpenSSL
 Cipher Suite Macros • It's likely your current configuration uses OpenSSL cipher suite macros. • Allows you to configure the set of cipher suites using set operations (union/intersection, add/ subtract, whitelist/blacklist) • Allows for a very compact representation what ciphers you allow. • Or do they?

Slide 25

Slide 25 text

Do Not Use Them • They are hard to read • They hide your intentions • OpenSSL has made subtle changes in how they work from release to release. • Operating systems sometimes remove suites. • They are incomplete and/or undocumented. • Probably don't do what you think they do.

Slide 26

Slide 26 text

Be Explicit • If there were thousands of ciphers suites, it might make sense. We do not. • Whitelist ciphers you want. • If its not on the list, they aren't used. • Makes clear what, and in what order what cipher suite you are using.

Slide 27

Slide 27 text

Example SSLProtocol ALL -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH • Expands to over 70 cipher suites. • Many aren't useable for public websites • Breaks old Windows XP compatibility • Some have serious performance implications • The most preferred cipher is — 
 ECDHE-RSA-AES256-GCM-SHA384 - ouch

Slide 28

Slide 28 text

Convert to Explicit List • DO THIS ON A PRODUCTION MACHINE. Results will be different depending on what version of OpenSSL is installed and your OS version • openssl ciphers "ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH" • 70 on my ubuntu box. • 9 on my mac laptop • (use 'openssl ciphers -v' to get more information)

Slide 29

Slide 29 text

Delete everything not used • Delete everything that is not being used, based on your site analysis. • This is the CipherSuite you are really using. • It probably contains under 10 entries. • Maybe as low as 1 or 2!
 DES-CBC3-SHA:AES128-SHA

Slide 30

Slide 30 text

Step 3. The Art of SSL Configuration

Slide 31

Slide 31 text

Let's Get Updated • Protocols • Ciphers • Other Stuff

Slide 32

Slide 32 text

Protocols • SSL v2 — Broken. Do not use.! • SSL v3 — Almost secure.. 
 might be ok to eliminate! • TLS 1.0 - "ok"! • TLS 1.1 - No known practical attacks! • TLS 1.2 — Best available; includes new ciphers

Slide 33

Slide 33 text

AES is The Cipher • You can have a 'secure' website with exactly one cipher. • AES128-SHA • Just this will get you an "A" on SSLLabs 
 (with other settings being correct) • It is the defacto public web standard. • Hardware accelerated in recent Intel CPUs

Slide 34

Slide 34 text

AES128 vs. AES256 bit keys • First, to my knowledge, there is no client that forces 256-bits keys and does not use 128-keys. • There is no evidence that AES256 is 'more secure' in practical terms than AES128. • 256 definitely is slower.

Slide 35

Slide 35 text

RC4 (aka Arc4) • Likely broken. • RC5-MD5 may be used in old cell phones still. • Only your usage analysis can tell you if you should use it. • A replacement is coming but it's not ready yet (Cha-Cha stream cipher)

Slide 36

Slide 36 text

DES • 1970s technology. • Yeah, sadly, some Windows XP installations do not support AES, cannot support RC4, and so can only use DES!

Slide 37

Slide 37 text

Everything Else • Not required, unless you need to meet some country-specific regulation.

Slide 38

Slide 38 text

Asymmetric Ciphers • RSA - The standard. If the key is compromised, an eavesdropper can decode all traffic and any traffic previously captured. • ECDHE — Works in a completely different way. The 'E' at the end is important. It means every connection gets a different key. Key compromise means old communication remains safe.

Slide 39

Slide 39 text

Compression! • Compression is normally a good thing • Not in SSL • SSLCompression false (this the default)

Slide 40

Slide 40 text

Pulling it All Together

Slide 41

Slide 41 text

The Basics ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA:

Slide 42

Slide 42 text

Add TLS v1.2 Enhancements ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: These protect
 against surprises.

Slide 43

Slide 43 text

Recommend Add Prefect Forward Secrecy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Recommended but not required.! Needs an up-to-date OS and 
 version of OpenSSL

Slide 44

Slide 44 text

Add 256-bit variations ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Monitor to see who
 and how often
 256-bit ciphers 
 are actually used

Slide 45

Slide 45 text

Add Legacy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA And add other
 (secure) ciphers 
 you found in
 your analysis

Slide 46

Slide 46 text

Bonus: Legacy PFS ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA Very Very Optional
 please analyse you traffic 
 to see if this is worthwhile

Slide 47

Slide 47 text

There are other possible secure orderings and selections of cipher suites.

Slide 48

Slide 48 text

Step 4: Check what is really happening

Slide 49

Slide 49 text

First Check Your Configuration With SSLLabs • It is always the most up-to-date resource • Fix any obvious problems (hopefully none) • Getting an A or A- should be easy

Slide 50

Slide 50 text

OpenSSL Allows
 Silent Failure • OpenSSL allows spelling errors in Cipher Suites without warnings or errors • It only requires one valid cipher in your list for your web server to start! • You -must- check your explicit list against what is showing up in SSLLabs.

Slide 51

Slide 51 text

What happens if a client tries to connect with a protocol or cipher 
 that you do not support?

Slide 52

Slide 52 text

Client-Side

Slide 53

Slide 53 text

Server-Side Nothing in error log! Nothing in access log! !

Slide 54

Slide 54 text

Monitor Yourself

Slide 55

Slide 55 text

Now that you have a configuration you like, make sure it stays that way.

Slide 56

Slide 56 text

Things that can go wrong and cause silent failures • If you have multiple OpenSSL installations, Apache can link to wrong version • Source control problems (bad merge, reversion) • OS Upgrades that overwrite your custom configurations • People changing things.

Slide 57

Slide 57 text

Make Unit Tests for your Infrastructure!

Slide 58

Slide 58 text

Introducing SSLAssert • SSL fact generation for your site • Run it every day • Ideally the output never changes • If it does…..

Slide 59

Slide 59 text

$ export OPENSSL=/usr/local/Cellar/openssl/1.0.1e/bin/openssl $ ./sslassert.sh www.google.com openssl-command: /usr/local/Cellar/openssl/1.0.1e/bin/openssl openssl-target: https://www.google.com:443/ openssl-version: 'OpenSSL 1.0.1e 11 Feb 2013' smoke-test: on certificate-checksum: 0562dbbd5fa60dad7a6ef8bb6a53b89d961ee84a certificate-common-name: www.google.com certificate-length: 2048 certificate-days-until-expiration: 72 certificate-chain-length: 3 certificate-chain-self-signed: off protocol-tls-v12: on protocol-tls-v12-default: ECDHE-RSA-AES128-GCM-SHA256 cipher-suite-AES128-GCM-SHA256: on cipher-suite-AES128-SHA256: on cipher-suite-AES256-GCM-SHA384: on cipher-suite-AES256-SHA256: on cipher-suite-ECDHE-RSA-AES128-GCM-SHA256: on cipher-suite-ECDHE-RSA-AES128-SHA256: on cipher-suite-ECDHE-RSA-AES256-GCM-SHA384: on cipher-suite-ECDHE-RSA-AES256-SHA384: on protocol-tls-v11: on protocol-tls-v11-default: ECDHE-RSA-AES128-SHA protocol-tls-v10: on protocol-tls-v10-default: ECDHE-RSA-RC4-SHA protocol-ssl-v3: on protocol-ssl-v3-default: ECDHE-RSA-RC4-SHA protocol-ssl-v2: off etc…

Slide 60

Slide 60 text

On Github • https://github.com/client9/sslassert • in bash. • Ruby has really nice OpenSSL bindings. 
 Consider rewriting for your needs. • Please use as an example

Slide 61

Slide 61 text

What Else Can You Test? • What else can you unit test? • Pages that must be SSL or require auth. • Certificate ID • DNS records? • Is your site on Google Safe Browsing blacklist? • All of these should never change, but if they do, you should know about it.

Slide 62

Slide 62 text

Summary • Upgrade! • Monitor your customer's usage of SSL • Simplify your Configuration • Monitor your SSL configuration with SSLLabs and 
 your own sslassert - Unit Tests for Infrastructure. • Repeat every 6 months — put it in your calendar • Relax!