Merge branch 'master' of https://rhodecode.plunge.at/ach/ach-master
[ach-master.git] / src / practical_settings.tex
1 \section{Recommendations on practical settings}
2
3
4 \subsection{SSL}
5
6 %%% NOTE: we do not need to list this all here, can move to an appendix
7 %At the time of this writing, SSL is defined in RFCs:   
8 %
9 %\begin{itemize}
10 %\item RFC2246 - TLS1.0         
11 %\item RFC3268 - AES            
12 %\item RFC4132 - Camelia                
13 %\item RFC4162 - SEED           
14 %\item RFC4279 - PSK            
15 %\item RFC4346 - TLS 1.1                
16 %\item RFC4492 - ECC            
17 %\item RFC4785 - PSK\_NULL              
18 %\item RFC5246 - TLS 1.2                
19 %\item RFC5288 - AES\_GCM               
20 %\item RFC5289 - AES\_GCM\_SHA2\_ECC            
21 %\item RFC5430 - Suite B                
22 %\item RFC5487 - GCM\_PSK               
23 %\item RFC5489 - ECDHE\_PSK             
24 %\item RFC5932 - Camelia                
25 %\item RFC6101 - SSL 3.0                
26 %\item RFC6209 - ARIA           
27 %\item RFC6367 - Camelia                
28 %\item RFC6655 - AES\_CCM               
29 %\item RFC7027 - Brainpool Curves               
30 %\end{itemize}
31
32 \subsubsection{Overview of SSL Server settings}
33
34 Most Server software (Webservers, Mail servers, etc.) can be configured to prefer certain cipher suites over others. 
35 We followed the recommendations by Ivan Ristic's SSL/TLS Deployment Best Practices\footnote{\url{https://www.ssllabs.com/projects/best-practices/index.html}} document (see section 2.2 "Use Secure Protocols") and arrived at a list of recommended cipher suites for SSL enabled servers.
36
37 The results of following his adivce is a categorisation of cipher suites.
38
39 \begin{center}
40 \begin{tabular}{| l | l | l | l | l|}
41 \hline
42 & Version   & Key\_Exchange  & Cipher    & MAC       \\ \hline
43 \cellcolor{green}prefer  & TLS 1.2   & DHE\_DSS   & AES\_256\_GCM   & SHA384        \\ \hline
44     &   & DHE\_RSA   & AES\_256\_CCM   & SHA256        \\ \hline
45     &   & ECDHE\_ECDSA   & AES\_256\_CBC   &       \\ \hline
46     &   & ECDHE\_RSA &   &       \\ \hline
47     &   &   &   &       \\ \hline
48 \cellcolor{orange}consider    & TLS 1.1   & DH\_DSS    & AES\_128\_GCM   & SHA       \\ \hline
49     & TLS 1.0   & DH\_RSA    & AES\_128\_CCM   &       \\ \hline
50     &   & ECDH\_ECDSA    & AES\_128\_CBC   &       \\ \hline
51     &   & ECDH\_RSA  & CAMELLIA\_256\_CBC  &       \\ \hline
52     &   & RSA   & CAMELLIA\_128\_CBC  &       \\ \hline
53     &   &   &   &       \\ \hline
54 \cellcolor{red}avoid   
55 & SSL 3.0   & NULL  & NULL  & NULL      \\ \hline
56     &   & DH\_anon   & RC4\_128   & MD5       \\ \hline
57     &   & ECDH\_anon & 3DES\_EDE\_CBC  &       \\ \hline
58     &   &   & DES\_CBC   &       \\ \hline
59     &   &   &   &       \\ \hline
60 \cellcolor{blue}{\color{white}special }
61 &   & PSK   & CAMELLIA\_256\_GCM  &       \\ \hline
62     &   & DHE\_PSK   & CAMELLIA\_128\_GCM  &       \\ \hline
63     &   & RSA\_PSK   & ARIA\_256\_GCM  &       \\ \hline
64     &   & ECDHE\_PSK & ARIA\_256\_CBC  &       \\ \hline
65     &   &   & ARIA\_128\_GCM  &       \\ \hline
66     &   &   & ARIA\_128\_CBC  &       \\ \hline
67     &   &   & SEED  &       \\ \hline
68 \end{tabular}
69 \end{center}
70
71 A remark on the ``consider'' section: the BSI (Bundesamt f\"ur Sicherheit in der Informationstechnik, Germany) recommends in its technical report TR-02102-2\footnote{\url{https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html}} to \textbf{avoid} non-ephemeral\footnote{emphemeral keys (perfect forward secrecy) denotes a property where session keys are destroyed upon termination of the encrypted session} keys for any communication which might contain personal or sensitive data. In this document, we follow BSI's advice and therefore only keep cipher suites containing (EC)DH\textbf{E} variants. System administrators, who can not use perfect forward secrecy can still use the cipher suites in the consider section. We however, do not recommend them in this document.
72
73 Note that the entries marked as "special" are cipher suites which are not common to all clients (webbrowsers etc).
74
75
76 \subsubsection{Client recommendations}
77  
78 Next we tested the cipher suites above on the following clients:
79
80 \begin{itemize}
81 \item Chrome 30.0.1599.101 Mac OS X 10.9
82 \item Safari 7.0 Mac OS X 10.9
83 \item Firefox 25.0 Mac OS X 10.9
84 \item Internet Explorer 10 Windows 7
85 \item Apple iOS 7.0.3
86 \end{itemize}
87
88
89 The result of testing the cipher suites with these clients gives us the following result and a preference order. 
90 Should a client not be able to use a specific cipher suite, it will fall back to the next possible entry as given by the ordering.
91
92 \begin{center}
93 \begin{table}[h]
94 \small
95     \begin{tabular}{|l|l|l|l|l|}
96     \hline
97     Pref & Cipher Suite                                   & ID         & Browser                     \\ \hline
98     1    & TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 &     0xC024 & Safari                      \\ \hline
99     2    & TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384   &     0xC028 & Safari                      \\ \hline
100     3    & TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256     &     0x006B & Safari, Chrome              \\ \hline
101     4    & TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA    &     0xC00A & Safari, Chrome, Firefox, IE \\ \hline
102     5    & TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA      &     0xC014 & Safari, Chrome, Firefox, IE \\ \hline
103     6    & TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA        &     0x0039 & Safari, Chrome, Firefox     \\ \hline
104     7    & TLS\_DHE\_DSS\_WITH\_AES\_256\_CBC\_SHA        &     0x0038 & Firefox, IE                 \\ \hline
105     8    & TLS\_DHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0088 & Firefox                     \\ \hline
106     9    & TLS\_DHE\_DSS\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0087 & Firefox                     \\ \hline
107     \end{tabular}
108 \caption{Preference order of cipher suites}
109 \end{table}
110 \end{center}
111
112 \FloatBarrier
113
114 The same data again, specifying the OpenSSL name:
115
116 \begin{center}
117 \begin{table}[h]
118 \small
119     \begin{tabular}{|l|l|l|}
120     \hline
121     Cipher Suite                                   & ID            & OpenSSL Name                  \\ \hline
122     TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 &     0xC024 &     ECDHE-ECDSA-AES256-SHA384 \\ \hline
123     TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384   &     0xC028 &     ECDHE-RSA-AES256-SHA384   \\ \hline
124     TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256     &     0x006B &     DHE-RSA-AES256-SHA256     \\ \hline
125     TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA    &     0xC00A &     ECDHE-ECDSA-AES256-SHA    \\ \hline
126     TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA      &     0xC014 &     ECDHE-RSA-AES256-SHA      \\ \hline
127     TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA        &     0x0039 &     DHE-RSA-AES256-SHA        \\ \hline
128     TLS\_DHE\_DSS\_WITH\_AES\_256\_CBC\_SHA        &     0x0038 &     DHE-DSS-AES256-SHA        \\ \hline
129     TLS\_DHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0088 &     DHE-RSA-CAMELLIA256-SHA   \\ \hline
130     TLS\_DHE\_DSS\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0087 &     DHE-DSS-CAMELLIA256-SHA   \\ \hline
131     \end{tabular}
132 \caption{Preference order of cipher suites, with OpenSSL names}
133 \end{table}
134 \end{center}
135
136
137
138 Based on this ordering, we can now define the corresponding settings for servers. We will start with the most common web servers
139
140 \subsubsection{Apache}
141
142 Note: a "\textbackslash" (backslash) denotes a line continuation which was wrapped due to formatting reasons here. Do not copy it verbatim.
143
144 \begin{verbatim}
145   SSLProtocol ALL -SSLv2
146   SSLHonorCipherOrder On
147   SSLCipherSuite  ECDH+AESGCM:DH+AESGCM:\
148     ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
149     DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
150     ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:\
151     DHE-DSS-AES256-SHA:\DHE-RSA-CAMELLIA256-SHA:\
152     DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:!MD5:!DSS
153 \end{verbatim}
154
155 %XXXX   ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
156
157
158
159 \subsubsection{nginx}
160
161
162 \subsubsection{openssl.conf settings}
163
164 %\subsubsection{Differences in SSL libraries: gnutls vs. openssl vs. others}
165
166 \subsubsection{IMAPS}
167 \subsubsection{SMTP: opportunistic TLS}
168 % do we need to documment starttls in detail?
169 %\subsubsection{starttls?}
170
171 \subsection{SSH}
172
173 \subsection{OpenVPN}
174
175 \subsection{PGP}
176
177 \subsection{PRNG settings}