The Art and Science of SSL Configuration Nick Galbreath! OWASP APAC 2014! Tokyo, Japan

Slides Are Online Now http://bit.ly/OaiFrf O = Oh 0 = zero

Who am I • Nick Galbreath (χοΫɹΨϧϒϨεʣ! • nickg@signalsciences.com! • @ngalbreath

Context When I say SSL 
 I mean
 SSL and/or TLS

Context! • This talk is for web-application security for commerce. • If you are hosting content that makes governments or police angry, you are at the wrong talk.

Context! • I will use examples for Apache / OpenSSL • However this all applies to nginx / OpenSSL • And very likely applies to GnuTLS users • Sorry, I'm not familiar with Java and SSL

What's the Goal for Today? • Allow you to understand 
 what you are doing right now. • How to change your SSL settings safely • How to get a minimal understanding of cipher suite selection • How to monitor your site, so SSL surprises don't happen.

For More Details • Ivan Ristic is The SSL Expert. • https://www.ssllabs.com/ • http://blog.ivanristic.com/ • And buy his new book! 
 https://www.feistyduck.com/


The Art and Science of SSL Configuration?

SSL Configuration • Essential part of your system's security • It should be standardised, and should be boring • But, yet, it's really confusing!

The Science • Some things work • Some things do not

The Art • Only you know your system • Only you know your audience and customers • Only you know your threats • There are many ways to be 'secure'

Step 1: Get Up To Date

#1 Most Important Thing • Update your OS to latest patch level • If you are using Apache 1.3 - stop,
 and just focus on getting up to date
 with Apache 2.2 or 2.4
 (same with nginx users — get up to date) • This will update your OpenSSL library, fixing numerous problems

Unless you are an Expert.. • I do not recommend building your own Apache or OpenSSL • Too many things can go wrong. • Using latest patch from OS provider is likely better than what you can do.

Just Doing An Update • Should not cause any performance problems. • It's possible but highly unlikely, CPU load might go up due to new ciphers being selected. If this happens, then add • SSLHonorCipherOrder on • SSLCipherSuite: AES-128:your-previous-values

Step 2: Understanding what your actually doing

The Next Most Important Thing You Can Do Is Monitor Your Current SSL Usage

Add to Log File Apache • Add to your existing log or create a new one • Apache: Add the following to your CustomLog in • %{SSL_PROTOCOL}x %{SSL_CIPHER}x • http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

Add HTTP Headers • This allows your application to log or decide. • Apache: use mod_header
 Header set X-SSL-Protocol %{SSL-Protocol}s
 Header set X-SSL-Cipher %{SSL-Cipher}s • NGINX: proxy_set_header X-SSL-Protocol $ssl_protocol; proxy_set_header X-SSL-Cipher $ssl_cipher;

Analyse Protocol Usage • What percentage is using • SSL v2? - -hopefully 0 • SSL v3? — hopefully under 1% but look who is using. I'm seeing Yandex use it for their bots. • TLS v1.0, 1.1, 1.2? each is hopefully not 0

Analyse Cipher Suites • After a day you'll have enough data • Analyse cipher suite usage, in particular look for olds one such as • Anything with 'RC4' • Anything with 'DES' • Hopefully nothing with MD2, MD4

Step 3. Cleanup Configuration

OpenSSL
 Cipher Suite Macros • It's likely your current configuration uses OpenSSL cipher suite macros. • Allows you to configure the set of cipher suites using set operations (union/intersection, add/ subtract, whitelist/blacklist) • Allows for a very compact representation what ciphers you allow. • Or do they?

Do Not Use Them • They are hard to read • They hide your intentions • OpenSSL has made subtle changes in how they work from release to release. • Operating systems sometimes remove suites. • They are incomplete and/or undocumented. • Probably don't do what you think they do.

Be Explicit • If there were thousands of ciphers suites, it might make sense. We do not. • Whitelist ciphers you want. • If its not on the list, they aren't used. • Makes clear what, and in what order what cipher suite you are using.

Example SSLProtocol ALL -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH • Expands to over 70 cipher suites. • Many aren't useable for public websites • Breaks old Windows XP compatibility • Some have serious performance implications • The most preferred cipher is — 
 ECDHE-RSA-AES256-GCM-SHA384 - ouch

Convert to Explicit List • DO THIS ON A PRODUCTION MACHINE. Results will be different depending on what version of OpenSSL is installed and your OS version • openssl ciphers "ALL:!ADH:!NULL:!EXP:! SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH" • 70 on my ubuntu box. • 9 on my mac laptop • (use 'openssl ciphers -v' to get more information)

Delete everything not used • Delete everything that is not being used, based on your site analysis. • This is the CipherSuite you are really using. • It probably contains under 10 entries. • Maybe as low as 1 or 2!
 DES-CBC3-SHA:AES128-SHA

Step 3. The Art of SSL Configuration

Let's Get Updated • Protocols • Ciphers • Other Stuff

Protocols • SSL v2 — Broken. Do not use.! • SSL v3 — Almost secure.. 
 might be ok to eliminate! • TLS 1.0 - "ok"! • TLS 1.1 - No known practical attacks! • TLS 1.2 — Best available; includes new ciphers

AES is The Cipher • You can have a 'secure' website with exactly one cipher. • AES128-SHA • Just this will get you an "A" on SSLLabs 
 (with other settings being correct) • It is the defacto public web standard. • Hardware accelerated in recent Intel CPUs

AES128 vs. AES256 bit keys • First, to my knowledge, there is no client that forces 256-bits keys and does not use 128-keys. • There is no evidence that AES256 is 'more secure' in practical terms than AES128. • 256 definitely is slower.

RC4 (aka Arc4) • Likely broken. • RC5-MD5 may be used in old cell phones still. • Only your usage analysis can tell you if you should use it. • A replacement is coming but it's not ready yet (Cha-Cha stream cipher)

DES • 1970s technology. • Yeah, sadly, some Windows XP installations do not support AES, cannot support RC4, and so can only use DES!

Everything Else • Not required, unless you need to meet some country-specific regulation.

Asymmetric Ciphers • RSA - The standard. If the key is compromised, an eavesdropper can decode all traffic and any traffic previously captured. • ECDHE — Works in a completely different way. The 'E' at the end is important. It means every connection gets a different key. Key compromise means old communication remains safe.

Compression! • Compression is normally a good thing • Not in SSL • SSLCompression false (this the default)

Pulling it All Together

The Basics ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA:

Add TLS v1.2 Enhancements ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: These protect
 against surprises.

Recommend Add Prefect Forward Secrecy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Recommended but not required.! Needs an up-to-date OS and 
 version of OpenSSL

Add 256-bit variations ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA: Monitor to see who
 and how often
 256-bit ciphers 
 are actually used

Add Legacy ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA And add other
 (secure) ciphers 
 you found in
 your analysis

Bonus: Legacy PFS ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA RC4-SHA Very Very Optional
 please analyse you traffic 
 to see if this is worthwhile

There are other possible secure orderings and selections of cipher suites.

Step 4: Check what is really happening

First Check Your Configuration With SSLLabs • It is always the most up-to-date resource • Fix any obvious problems (hopefully none) • Getting an A or A- should be easy

OpenSSL Allows
 Silent Failure • OpenSSL allows spelling errors in Cipher Suites without warnings or errors • It only requires one valid cipher in your list for your web server to start! • You -must- check your explicit list against what is showing up in SSLLabs.

What happens if a client tries to connect with a protocol or cipher 
 that you do not support?

Client-Side

Server-Side Nothing in error log! Nothing in access log! !

Monitor Yourself

Now that you have a configuration you like, make sure it stays that way.

Things that can go wrong and cause silent failures • If you have multiple OpenSSL installations, Apache can link to wrong version • Source control problems (bad merge, reversion) • OS Upgrades that overwrite your custom configurations • People changing things.

Make Unit Tests for your Infrastructure!

Introducing SSLAssert • SSL fact generation for your site • Run it every day • Ideally the output never changes • If it does…..

$ export OPENSSL=/usr/local/Cellar/openssl/1.0.1e/bin/openssl $ ./sslassert.sh www.google.com openssl-command: /usr/local/Cellar/openssl/1.0.1e/bin/openssl openssl-target: https://www.google.com:443/ openssl-version: 'OpenSSL 1.0.1e 11 Feb 2013' smoke-test: on certificate-checksum: 0562dbbd5fa60dad7a6ef8bb6a53b89d961ee84a certificate-common-name: www.google.com certificate-length: 2048 certificate-days-until-expiration: 72 certificate-chain-length: 3 certificate-chain-self-signed: off protocol-tls-v12: on protocol-tls-v12-default: ECDHE-RSA-AES128-GCM-SHA256 cipher-suite-AES128-GCM-SHA256: on cipher-suite-AES128-SHA256: on cipher-suite-AES256-GCM-SHA384: on cipher-suite-AES256-SHA256: on cipher-suite-ECDHE-RSA-AES128-GCM-SHA256: on cipher-suite-ECDHE-RSA-AES128-SHA256: on cipher-suite-ECDHE-RSA-AES256-GCM-SHA384: on cipher-suite-ECDHE-RSA-AES256-SHA384: on protocol-tls-v11: on protocol-tls-v11-default: ECDHE-RSA-AES128-SHA protocol-tls-v10: on protocol-tls-v10-default: ECDHE-RSA-RC4-SHA protocol-ssl-v3: on protocol-ssl-v3-default: ECDHE-RSA-RC4-SHA protocol-ssl-v2: off etc…

On Github • https://github.com/client9/sslassert • in bash. • Ruby has really nice OpenSSL bindings. 
 Consider rewriting for your needs. • Please use as an example

What Else Can You Test? • What else can you unit test? • Pages that must be SSL or require auth. • Certificate ID • DNS records? • Is your site on Google Safe Browsing blacklist? • All of these should never change, but if they do, you should know about it.

Summary • Upgrade! • Monitor your customer's usage of SSL • Simplify your Configuration • Monitor your SSL configuration with SSLLabs and 
 your own sslassert - Unit Tests for Infrastructure. • Repeat every 6 months — put it in your calendar • Relax!