clarify SSLProtocol settings. Be restrictive.
[ach-master.git] / src / practical_settings.tex
1 \section{Recommendations on practical settings}
2
3
4 \subsection{SSL}
5
6 %%% NOTE: we do not need to list this all here, can move to an appendix
7 %At the time of this writing, SSL is defined in RFCs:   
8 %
9 %\begin{itemize}
10 %\item RFC2246 - TLS1.0         
11 %\item RFC3268 - AES            
12 %\item RFC4132 - Camelia                
13 %\item RFC4162 - SEED           
14 %\item RFC4279 - PSK            
15 %\item RFC4346 - TLS 1.1                
16 %\item RFC4492 - ECC            
17 %\item RFC4785 - PSK\_NULL              
18 %\item RFC5246 - TLS 1.2                
19 %\item RFC5288 - AES\_GCM               
20 %\item RFC5289 - AES\_GCM\_SHA2\_ECC            
21 %\item RFC5430 - Suite B                
22 %\item RFC5487 - GCM\_PSK               
23 %\item RFC5489 - ECDHE\_PSK             
24 %\item RFC5932 - Camelia                
25 %\item RFC6101 - SSL 3.0                
26 %\item RFC6209 - ARIA           
27 %\item RFC6367 - Camelia                
28 %\item RFC6655 - AES\_CCM               
29 %\item RFC7027 - Brainpool Curves               
30 %\end{itemize}
31
32 \subsubsection{Overview of SSL Server settings}
33
34 Most Server software (Webservers, Mail servers, etc.) can be configured to prefer certain cipher suites over others. 
35 We followed the recommendations by Ivan Ristic's SSL/TLS Deployment Best Practices\footnote{\url{https://www.ssllabs.com/projects/best-practices/index.html}} document (see section 2.2 "Use Secure Protocols") and arrived at a list of recommended cipher suites for SSL enabled servers.
36
37 The results of following his adivce is a categorisation of cipher suites.
38
39 \begin{center}
40 \begin{tabular}{| l | l | l | l | l|}
41 \hline
42 & Version   & Key\_Exchange  & Cipher    & MAC       \\ \hline
43 \cellcolor{green}prefer  & TLS 1.2   & DHE\_DSS   & AES\_256\_GCM   & SHA384        \\ \hline
44     &   & DHE\_RSA   & AES\_256\_CCM   & SHA256        \\ \hline
45     &   & ECDHE\_ECDSA   & AES\_256\_CBC   &       \\ \hline
46     &   & ECDHE\_RSA &   &       \\ \hline
47     &   &   &   &       \\ \hline
48 \cellcolor{orange}consider    & TLS 1.1   & DH\_DSS    & AES\_128\_GCM   & SHA       \\ \hline
49     & TLS 1.0   & DH\_RSA    & AES\_128\_CCM   &       \\ \hline
50     &   & ECDH\_ECDSA    & AES\_128\_CBC   &       \\ \hline
51     &   & ECDH\_RSA  & CAMELLIA\_256\_CBC  &       \\ \hline
52     &   & RSA   & CAMELLIA\_128\_CBC  &       \\ \hline
53     &   &   &   &       \\ \hline
54 \cellcolor{red}avoid   
55 & SSL 3.0   & NULL  & NULL  & NULL      \\ \hline
56     &   & DH\_anon   & RC4\_128   & MD5       \\ \hline
57     &   & ECDH\_anon & 3DES\_EDE\_CBC  &       \\ \hline
58     &   &   & DES\_CBC   &       \\ \hline
59     &   &   &   &       \\ \hline
60 \cellcolor{blue}{\color{white}special }
61 &   & PSK   & CAMELLIA\_256\_GCM  &       \\ \hline
62     &   & DHE\_PSK   & CAMELLIA\_128\_GCM  &       \\ \hline
63     &   & RSA\_PSK   & ARIA\_256\_GCM  &       \\ \hline
64     &   & ECDHE\_PSK & ARIA\_256\_CBC  &       \\ \hline
65     &   &   & ARIA\_128\_GCM  &       \\ \hline
66     &   &   & ARIA\_128\_CBC  &       \\ \hline
67     &   &   & SEED  &       \\ \hline
68 \end{tabular}
69 \end{center}
70
71 A remark on the ``consider'' section: the BSI (Bundesamt f\"ur Sicherheit in der Informationstechnik, Germany) recommends in its technical report TR-02102-2\footnote{\url{https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html}} to \textbf{avoid} non-ephemeral\footnote{ephemeral keys are session keys which are destroyed upon termination of the encrypted session. In TLS/SSL, they are realized by the DHE cipher suites. } keys for any communication which might contain personal or sensitive data. In this document, we follow BSI's advice and therefore only keep cipher suites containing (EC)DH\textbf{E} variants. System administrators, who can not use perfect forward secrecy can still use the cipher suites in the consider section. We however, do not recommend them in this document.
72
73 Note that the entries marked as "special" are cipher suites which are not common to all clients (webbrowsers etc).
74
75
76 \subsubsection{Client recommendations}
77  
78 Next we tested the cipher suites above on the following clients:
79
80 \begin{itemize}
81 \item Chrome 30.0.1599.101 Mac OS X 10.9
82 \item Safari 7.0 Mac OS X 10.9
83 \item Firefox 25.0 Mac OS X 10.9
84 \item Internet Explorer 10 Windows 7
85 \item Apple iOS 7.0.3
86 \end{itemize}
87
88
89 The result of testing the cipher suites with these clients gives us a preference order as shown in table \ref{table:prefOrderCipherSuites}. 
90 Should a client not be able to use a specific cipher suite, it will fall back to the next possible entry as given by the ordering.
91
92 \begin{center}
93 \begin{table}[h]
94 \small
95     \begin{tabular}{|l|l|l|l|l|}
96     \hline
97     Pref & Cipher Suite                                   & ID         & Browser                     \\ \hline
98     1    & TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 &     0xC024 & Safari                      \\ \hline
99     2    & TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384   &     0xC028 & Safari                      \\ \hline
100     3    & TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256     &     0x006B & Safari, Chrome              \\ \hline
101     4    & TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA    &     0xC00A & Safari, Chrome, Firefox, IE \\ \hline
102     5    & TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA      &     0xC014 & Safari, Chrome, Firefox, IE \\ \hline
103     6    & TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA        &     0x0039 & Safari, Chrome, Firefox     \\ \hline
104     7    & TLS\_DHE\_DSS\_WITH\_AES\_256\_CBC\_SHA        &     0x0038 & Firefox, IE                 \\ \hline
105     8    & TLS\_DHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0088 & Firefox                     \\ \hline
106     9    & TLS\_DHE\_DSS\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0087 & Firefox                     \\ \hline
107     \end{tabular}
108 \caption{Preference order of cipher suites}
109 \label{table:prefOrderCipherSuites}
110 \end{table}
111 \end{center}
112
113
114 Table \ref{table:prefOrderOpenSSLNames} shows the same data again with specifying the corresponding OpenSSL name.
115
116 \begin{center}
117 \begin{table}[h]
118 \small
119     \begin{tabular}{|l|l|l|}
120     \hline
121     Cipher Suite                                   & ID            & OpenSSL Name                  \\ \hline
122     TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 &     0xC024 &     ECDHE-ECDSA-AES256-SHA384 \\ \hline
123     TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384   &     0xC028 &     ECDHE-RSA-AES256-SHA384   \\ \hline
124     TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256     &     0x006B &     DHE-RSA-AES256-SHA256     \\ \hline
125     TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA    &     0xC00A &     ECDHE-ECDSA-AES256-SHA    \\ \hline
126     TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA      &     0xC014 &     ECDHE-RSA-AES256-SHA      \\ \hline
127     TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA        &     0x0039 &     DHE-RSA-AES256-SHA        \\ \hline
128     TLS\_DHE\_DSS\_WITH\_AES\_256\_CBC\_SHA        &     0x0038 &     DHE-DSS-AES256-SHA        \\ \hline
129     TLS\_DHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0088 &     DHE-RSA-CAMELLIA256-SHA   \\ \hline
130     TLS\_DHE\_DSS\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0087 &     DHE-DSS-CAMELLIA256-SHA   \\ \hline
131     \end{tabular}
132 \caption{Preference order of cipher suites, with OpenSSL names}
133 \label{table:prefOrderOpenSSLNames}
134 \end{table}
135 \end{center}
136
137
138
139 Based on this ordering, we can now define the corresponding settings for servers. We will start with the most common web servers
140
141 \subsubsection{Apache}
142
143 Note: a "\textbackslash" (backslash) denotes a line continuation which was wrapped due to formatting reasons here. Do not copy it verbatim.
144
145 \begin{verbatim}
146   SSLProtocol +TLSv1.1 +TLSv1.2
147   SSLHonorCipherOrder On
148   SSLCipherSuite  ECDH+AESGCM:DH+AESGCM:\
149     ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
150     DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
151     ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:\
152     DHE-DSS-AES256-SHA:\DHE-RSA-CAMELLIA256-SHA:\
153     DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:!MD5:!DSS
154 \end{verbatim}
155
156 %XXXX   ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
157
158
159
160 \subsubsection{nginx}
161
162
163 \subsubsection{openssl.conf settings}
164
165 %\subsubsection{Differences in SSL libraries: gnutls vs. openssl vs. others}
166
167 \subsubsection{IMAPS}
168 \subsubsection{SMTP: opportunistic TLS}
169 % do we need to documment starttls in detail?
170 %\subsubsection{starttls?}
171
172 \subsection{SSH}
173
174 \subsection{OpenVPN}
175
176 \subsection{IPSec}
177
178 \subsection{PGP}
179
180 \subsection{PRNG settings}