1 \section{Recommendations on practical settings}
4 \subsection{Webservers}
10 %-All +TLSv1.1 +TLSv1.2
11 \begin{lstlisting}[breaklines]
12 SSLProtocol All -SSLv2 -SSLv3
13 SSLHonorCipherOrder On
15 # Add six earth month HSTS header for all users...
16 Header add Strict-Transport-Security "max-age=15768000"
17 # If you want to protect all subdomains, use the following header
18 # ALL subdomains HAVE TO support https if you use this!
19 # Strict-Transport-Security: max-age=15768000 ; includeSubDomains
21 SSLCipherSuite 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
24 Note again, that any cipher suite starting with ECDHE can be omitted in case of doubt.
25 %% XXX NOTE TO SELF: remove from future automatically generated lists!
27 You should redirect everything to httpS:// if possible. In Apache you can do this with the following setting inside of a VirtualHost environment:
29 \begin{lstlisting}[breaklines]
33 RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=permanent]
38 %XXXX ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
41 \subsubsection{lighttpd}
45 %% Note: need to be checked / reviewed
47 %% Complete ssl.cipher-list with same algo than Apache
48 \todo{FIXME: this string seems to be wrongly formatted}
50 \begin{lstlisting}[breaklines]
51 $SERVER["socket"] == "0.0.0.0:443" {
53 ssl.use-sslv2 = "disable"
54 ssl.use-sslv3 = "disable"
55 ssl.use-compression = "disable"
56 ssl.pemfile = "/etc/lighttpd/server.pem"
57 ssl.cipher-list = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
58 ssl.honor-cipher-order = "enable"
59 setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000")
63 As for any other webserver, you should redirect automatically http traffic toward httpS:\footnote{That proposed configuration is directly coming from lighttpd documentation: \url{http://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps}}
65 \begin{lstlisting}[breaklines]
66 $HTTP["scheme"] == "http" {
67 # capture vhost name with regex conditiona -> %0 in redirect pattern
68 # must be the most inner block to the redirect rule
69 $HTTP["host"] =~ ".*" {
70 url.redirect = (".*" => "https://%0$0")
79 \begin{lstlisting}[breaklines]
80 ssl_prefer_server_ciphers on;
81 ssl_protocols -SSLv2 -SSLv3;
82 ssl_ciphers 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA';
83 add_header Strict-Transport-Security max-age=2592000;
84 add_header X-Frame-Options DENY;
87 %% XXX FIXME: do we need to specify dhparams? Parameter: ssl_dhparam = file. See: http://wiki.nginx.org/HttpSslModule#ssl_protocols
90 If you decide to trust NIST's ECC curve recommendation, you can add the following line to nginx's configuration file to select special curves:
92 \begin{lstlisting}[breaklines]
93 ssl_ecdh_curve sect571k1;
96 You should redirect everything to httpS:// if possible. In Nginx you can do this with the following setting:
98 \begin{lstlisting}[breaklines]
99 rewrite ^(.*) https://$host$1 permanent;
102 %\subsubsection{openssl.conf settings}
104 %\subsubsection{Differences in SSL libraries: gnutls vs. openssl vs. others}
106 \subsubsection{MS IIS}
111 When trying to avoid RC4 and CBC (BEAST-Attack) and requiring perfect
112 forward secrecy, Microsoft Internet Information Server (IIS) supports
113 ECDSA, but does not support RSA for key exchange (consider ECC suite
114 B doubts\footnote{\url{http://safecurves.cr.yp.to/rigid.html}}).
116 Since \verb|ECDHE_RSA_*| is not supported, a SSL certificate based on
117 elliptic curves needs to be used.
119 The configuration of cipher suites MS IIS will use can be configured in one
120 of the following ways:
122 \item Group Policy \footnote{\url{http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx}}
124 \item IIS Crypto~\footnote{\url{https://www.nartac.com/Products/IISCrypto/}}
128 Table~\ref{tab:MS_IIS_Client_Support} shows the process of turning on
129 one algorithm after another and the effect on the supported Clients
130 tested using https://www.ssllabs.com.
132 \verb|SSL 3.0|, \verb|SSL 2.0| and \verb|MD5| are turned off.
133 \verb|TLS 1.0| and \verb|TLS 2.0| are turned on.
138 \begin{tabular}{|l|l|}
140 Cipher Suite & Client \\
142 \verb|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256| & only IE 10,11, OpenSSL 1.0.1e \\
144 \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256| & Chrome 30, Opera 17, Safari 6+ \\
146 \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA| & FF 10-24, IE 8+, Safari 5, Java 7\\
149 \caption{Client support}
150 \label{tab:MS_IIS_Client_Support}
153 Table~\ref{tab:MS_IIS_Client_Support} shows the algoriths from
154 strongest to weakest and why they need to be added in this order. For
155 example insiting on SHA-2 algorithms (only first two lines) would
156 eliminate all versions of Firefox, so the last line is needed to
157 support this browser, but should be placed at the bottom, so capable
158 browsers will choose the stronger SHA-2 algorithms.
160 \verb|TLS_RSA_WITH_RC4_128_SHA| or equivalent should also be added if
161 MS Terminal Server Connection is used (make sure to use this only in a
162 trusted environment). This suite will not be used for SSL, since we do
166 % \verb|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256| ... only supported by: IE 10,11, OpenSSL 1.0.1e
167 % \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256| ... Chrome 30, Opera 17, Safari 6+
168 % \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA| ... Firefox 10-24, IE 8+, Safari 5, Java 7
171 Not supported Clients:
179 \subsection{Mail and POP/IMAP Servers}
180 \subsubsection{Dovecot}
186 % Example: http://dovecot.org/list/dovecot/2013-October/092999.html
188 \begin{lstlisting}[breaklines]
189 ssl_cipher_list = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
190 ssl_prefer_server_ciphers = yes
193 Dovecot 2.1: Almost as good as dovecot 2.2. Does not support ssl\_prefer\_server\_ciphers
196 \subsubsection{Cyrus}
198 \todo{write this subsubsection}
202 \todo{write this subsubsection}
204 Another option to secure IMAPs servers is to place them behind an stunnel server.
206 % XXX config von Adi?
208 % ciphers = EDH+CAMELLIA256:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:-AES128:!CAMELLIA128:!ECDSA:AES256-SHA:EDH+AES128;
209 % options = CIPHER_SERVER_PREFERENCE
212 \subsubsection{Postfix}
216 First, you need to generate Diffie Hellman parameters (please first take a look at the section \ref{section:PRNG}):
218 \begin{lstlisting}[breaklines]
219 % openssl gendh -out /etc/postfix/dh_param_512.pem -2 512
220 % openssl gendh -out /etc/postfix/dh_param_1024.pem -2 1024
223 Next, we specify these DH parameters in the postfix config file:
225 \begin{lstlisting}[breaklines]
226 smtpd_tls_dh512_param_file = /etc/postfix/dh_param_512.pem
227 smtpd_tls_dh1024_param_file = /etc/postfix/dh_param_1024.pem
230 You usually don't want restrictions on the ciphers for opportunistic
231 encryption, because any encryption is better than plain text.
233 For submission (Port 587) or other special cases, however, you want to
234 enforce strong encryption. In addition to the below entries in
235 main.cf, you need to enable ``mandatory`` encryption for the
236 respective service, e.g. by adding ``-o
237 smtpd\_tls\_security\_level=encrypt'' to the submission smtpd in
240 % don't -- this influences opportunistic encryption
241 % smtpd_tls_protocols = !SSLv2, !SSLv3
243 \begin{lstlisting}[breaklines]
244 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
245 tls_ssl_options=NO_COMPRESSION
246 smtpd_tls_mandatory_ciphers=high
247 tls_high_cipherlist='EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
248 tls_preempt_cipherlist = yes
249 tls_random_source = dev:/dev/urandom
250 %% NOTE: might want to have /dev/random here + Haveged
253 For those users, who want to use ECC key exchange, it is possible to specify this via:
254 \begin{lstlisting}[breaklines]
255 smtpd_tls_eecdh_grade = ultra
258 You can check the settings by specifying smtpd\_tls\_loglevel = 1 and then check the selected ciphers with the following command:
259 \begin{lstlisting}[breaklines]
260 $ zegrep "TLS connection established from.*with cipher" /var/log/mail.log | \
261 > awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n
262 1 SSLv3 with cipher DHE-RSA-AES256-SHA
263 23 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
264 60 TLSv1 with cipher ECDHE-RSA-AES256-SHA
265 270 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
266 335 TLSv1 with cipher DHE-RSA-AES256-SHA
269 Source: \url{http://www.postfix.org/TLS_README.html}
271 \subsubsection{SMTP: opportunistic TLS}
273 \todo{write this subsubsection}
275 % do we need to documment starttls in detail?
276 %\subsubsection{starttls?}
280 \begin{lstlisting}[breaklines]
281 RSAAuthentication yes
284 HostKey /etc/ssh/ssh_host_rsa_key
286 MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
287 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
290 % XXX: curve25519-sha256@libssh.org only available upstream(!)
291 Note: older linux systems won't support SHA2, PuTTY does not support RIPE-MD160.
295 \todo{write this subsection}
298 \todo{write this subsection}
300 \subsection{PGP/ GPG - Pretty Good Privacy}
302 \todo{write this subsection -- this is still only a draft!!}
309 %%% TeX-master: "applied-crypto-hardening"