Merge branch 'master' of https://git.bettercrypto.org/ach-master

[ach-master.git] / src / practical_settings.tex

\section{Recommendations on practical settings}


\subsection{Webservers}

\subsubsection{Apache}



%-All +TLSv1.1 +TLSv1.2
\begin{lstlisting}[breaklines]
  SSLProtocol All -SSLv2 -SSLv3 
  SSLHonorCipherOrder On
  SSLCompression off
  # Add six earth month HSTS header for all users...
  Header add Strict-Transport-Security "max-age=15768000"
  # If you want to protect all subdomains, use the following header
  # ALL subdomains HAVE TO support https if you use this!
  # Strict-Transport-Security: max-age=15768000 ; includeSubDomains

  SSLCipherSuite 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
\end{lstlisting}

Note again, that any cipher suite starting with ECDHE  can be omitted in case of doubt.
%% XXX NOTE TO SELF: remove from future automatically generated lists!

You should redirect everything to httpS:// if possible. In Apache you can do this with the following setting inside of a VirtualHost environment:

\begin{lstlisting}[breaklines]
  <VirtualHost *:80>
   #...
   RewriteEngine On
        RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=permanent]
   #...
  </VirtualHost>
\end{lstlisting}

%XXXX   ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS


\subsubsection{lighttpd}



%% Note: need to be checked / reviewed

%% Complete ssl.cipher-list with same algo than Apache
\todo{FIXME: this string seems to be wrongly formatted}

\begin{lstlisting}[breaklines]
  $SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine  = "enable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.use-compression = "disable"
    ssl.pemfile = "/etc/lighttpd/server.pem"
    ssl.cipher-list = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
    ssl.honor-cipher-order = "enable"
    setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=31536000")
  }
\end{lstlisting}

As for any other webserver, you should redirect automatically http traffic toward httpS:\footnote{That proposed configuration is directly coming from lighttpd documentation: \url{http://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps}}

\begin{lstlisting}[breaklines]
  $HTTP["scheme"] == "http" {
    # capture vhost name with regex conditiona -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
  }
\end{lstlisting}

\subsubsection{nginx}



\begin{lstlisting}[breaklines]
  ssl_prefer_server_ciphers on;
  ssl_protocols -SSLv2 -SSLv3; 
  ssl_ciphers 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA';
  add_header Strict-Transport-Security max-age=2592000;
  add_header X-Frame-Options DENY;
\end{lstlisting}

%% XXX FIXME: do we need to specify dhparams? Parameter: ssl_dhparam = file. See: http://wiki.nginx.org/HttpSslModule#ssl_protocols


If you decide to trust NIST's ECC curve recommendation, you can add the following line to nginx's configuration file to select special curves:

\begin{lstlisting}[breaklines]
  ssl_ecdh_curve          sect571k1;
\end{lstlisting}

You should redirect everything to httpS:// if possible. In Nginx you can do this with the following setting:

\begin{lstlisting}[breaklines]
  rewrite     ^(.*)   https://$host$1 permanent;
\end{lstlisting}

%\subsubsection{openssl.conf settings}

%\subsubsection{Differences in SSL libraries: gnutls vs. openssl vs. others}

\subsubsection{MS IIS}
\label{sec:ms-iis}



When trying to avoid RC4 and CBC (BEAST-Attack) and requiring perfect
forward secrecy, Microsoft Internet Information Server (IIS) supports
ECDSA, but does not support RSA for key exchange (consider ECC suite
B doubts\footnote{\url{http://safecurves.cr.yp.to/rigid.html}}).

Since \verb|ECDHE_RSA_*| is not supported, a SSL certificate based on
elliptic curves needs to be used.

The configuration of cipher suites MS IIS will use can be configured in one
of the following ways:
\begin{enumerate}
\item Group Policy \footnote{\url{http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx}}
\item Registry
\item IIS Crypto~\footnote{\url{https://www.nartac.com/Products/IISCrypto/}}
\end{enumerate}


Table~\ref{tab:MS_IIS_Client_Support} shows the process of turning on
one algorithm after another and the effect on the supported Clients
tested using https://www.ssllabs.com.

\verb|SSL 3.0|, \verb|SSL 2.0| and \verb|MD5| are turned off.
\verb|TLS 1.0| and \verb|TLS 2.0| are turned on.

\begin{table}[h]
  \centering
  \small
  \begin{tabular}{|l|l|}
    \hline
    Cipher Suite & Client \\
    \hline
    \verb|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256| & only IE 10,11, OpenSSL 1.0.1e \\
    \hline
    \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256| & Chrome 30, Opera 17, Safari 6+ \\
    \hline
    \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA| & FF 10-24, IE 8+, Safari 5, Java 7\\
    \hline
  \end{tabular}
  \caption{Client support}
  \label{tab:MS_IIS_Client_Support}
\end{table}

Table~\ref{tab:MS_IIS_Client_Support} shows the algoriths from
strongest to weakest and why they need to be added in this order. For
example insiting on SHA-2 algorithms (only first two lines) would
eliminate all versions of Firefox, so the last line is needed to
support this browser, but should be placed at the bottom, so capable
browsers will choose the stronger SHA-2 algorithms.

\verb|TLS_RSA_WITH_RC4_128_SHA| or equivalent should also be added if
MS Terminal Server Connection is used (make sure to use this only in a
trusted environment). This suite will not be used for SSL, since we do
not use a RSA Key.


% \verb|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256| ... only supported by: IE 10,11, OpenSSL 1.0.1e
% \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256| ... Chrome 30, Opera 17, Safari 6+
% \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA| ... Firefox 10-24, IE 8+, Safari 5, Java 7


Not supported Clients:
\begin{enumerate}
\item Java 6
\item WinXP
\item Bing
\end{enumerate}


\subsection{Mail and POP/IMAP Servers}
\subsubsection{Dovecot}



Dovecot 2.2:

% Example: http://dovecot.org/list/dovecot/2013-October/092999.html

\begin{lstlisting}[breaklines]
  ssl_cipher_list = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
  ssl_prefer_server_ciphers = yes
\end{lstlisting}

Dovecot 2.1: Almost as good as dovecot 2.2. Does not support ssl\_prefer\_server\_ciphers


\subsubsection{cyrus-imapd (based on 2.4.17)}

\paragraph*{imapd.conf}\mbox{}\\

To activate SSL/TLS configure your certificate with
\begin{lstlisting}[breaklines]
  tls_cert_file: .../cert.pem
  tls_key_file: .../cert.key
\end{lstlisting}

Do not forget to add necessary intermediate certificates to the .pem file.\\

Limiting the ciphers provided may force (especially older) clients to connect without encryption at all! Sticking to the defaults is recommended.\\

If you still want to force strong encryption use
\begin{lstlisting}[breaklines]
  tls_cipher_list: <...recommended ciphersuite...>
\end{lstlisting}

cyrus-imapd loads hardcoded 1024 bit DH parameters using get\_rfc2409\_prime\_1024() by default. If you want to load your own DH parameters add them PEM encoded to the certificate file given in tls\_cert\_file. Do not forget to re-add them after updating your certificate.

\paragraph*{cyrus.conf}\mbox{}\\

To support POP3/IMAP on ports 110/143 with STARTTLS add
\begin{lstlisting}[breaklines]
  imap         cmd="imapd" listen="imap" prefork=3
  pop3         cmd="pop3d" listen="pop3" prefork=1
\end{lstlisting}
to the SERVICES section.\\

To support POP3S/IMAPS on ports 995/993 add
\begin{lstlisting}[breaklines]
  imaps        cmd="imapd -s" listen="imaps" prefork=3
  pop3s        cmd="pop3d -s" listen="pop3s" prefork=1
\end{lstlisting}

\paragraph*{Limitations}\mbox{}\\

cyrus-imapd currently (2.4.17, trunk) does not support elliptic curves. ECDHE will not work even if defined in your cipher list.
A working patch to provide limited support exists (NID\_X9\_62\_prime256v1 only):
\url{https://bugzilla.cyrusimap.org/show_bug.cgi?id=3822}\\

Currently there is no way to prefer server ciphers.\\

There is no way to prevent unencrypted connections on the STARTTLS ports. You can prevent usage of plaintext login by setting
\begin{lstlisting}[breaklines]
  allowplaintext: 0
\end{lstlisting}
in imapd.conf. But note that SASL PLAIN/LOGIN is still available!\\


\subsubsection{UW}

\todo{write this subsubsection}

Another option to secure IMAPs servers is to place them behind an stunnel server. 

% XXX config von Adi?
% sslVersion = TLSv1
% ciphers = EDH+CAMELLIA256:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:-AES128:!CAMELLIA128:!ECDSA:AES256-SHA:EDH+AES128;
% options = CIPHER_SERVER_PREFERENCE
% TIMEOUTclose = 1

\subsubsection{Postfix}



First, you need to generate Diffie Hellman parameters (please first take a look at the section \ref{section:PRNG}):

\todo{FIXME: this is a really weak setting! See also: http://postfix.1071664.n5.nabble.com/postfix-hardening-what-can-we-do-td61874.html}
\begin{lstlisting}[breaklines]
  % openssl gendh -out /etc/postfix/dh_param_512.pem -2 512
  % openssl gendh -out /etc/postfix/dh_param_1024.pem -2 1024
\end{lstlisting}

Next, we specify these DH parameters in the postfix config file:

\begin{lstlisting}[breaklines]
  smtpd_tls_dh512_param_file = /etc/postfix/dh_param_512.pem
  smtpd_tls_dh1024_param_file = /etc/postfix/dh_param_1024.pem
\end{lstlisting}

You usually don't want restrictions on the ciphers for opportunistic
encryption, because any encryption is better than plain text. 

For submission (Port 587) or other special cases, however, you want to
enforce strong encryption. In addition to the below entries in
main.cf, you need to enable ``mandatory`` encryption for the
respective service, e.g. by adding ``-o
smtpd\_tls\_security\_level=encrypt'' to the submission smtpd in
master.cf.

% don't -- this influences opportunistic encryption
%  smtpd_tls_protocols = !SSLv2, !SSLv3

\begin{lstlisting}[breaklines]
  smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
  tls_ssl_options=NO_COMPRESSION
  smtpd_tls_mandatory_ciphers=high
  tls_high_cipherlist='EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
  tls_preempt_cipherlist = yes
  tls_random_source = dev:/dev/urandom          
    %% NOTE: might want to have /dev/random here + Haveged
\end{lstlisting}
  
For those users, who want to use ECC key exchange, it is possible to specify this via:
\begin{lstlisting}[breaklines]
  smtpd_tls_eecdh_grade = ultra
\end{lstlisting}

You can check the settings by specifying  smtpd\_tls\_loglevel = 1 and then check the selected ciphers with the following command:
\begin{lstlisting}[breaklines]
$ zegrep "TLS connection established from.*with cipher" /var/log/mail.log | \
> awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n
      1 SSLv3 with cipher DHE-RSA-AES256-SHA
     23 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
     60 TLSv1 with cipher ECDHE-RSA-AES256-SHA
    270 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
    335 TLSv1 with cipher DHE-RSA-AES256-SHA
\end{lstlisting}

Source: \url{http://www.postfix.org/TLS_README.html}

\subsubsection{Exim (based on 4.82)}

It is highly recommended to read

\url{http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html}

first.

\paragraph*{OpenSSL}

\subparagraph*{server mode (incoming)}\mbox{}\\

In the main config section of exim add:

\begin{lstlisting}[breaklines]
  tls_certificate = ..../cert.pem
  tls_privatekey = ..../cert.key
\end{lstlisting}
don't forget to add intermediate certificates to the .pem file if needed.\\
\\
Tell exim to advertise STARTTLS in the EHLO answer:
\begin{lstlisting}[breaklines]
  tls_advertise_hosts = *
\end{lstlisting}

If you want to support legacy SMTPS on port 465, and STARTTLS on smtp(25)/submission(587) ports set
\begin{lstlisting}[breaklines]
  daemon_smtp_ports = smtp : smtps : submission
  tls_on_connect_ports = 465
\end{lstlisting}

Exim already disables SSLv2 by default. We recommend to add
\begin{lstlisting}[breaklines]
  openssl_options = +no_sslv2 +no_compression +cipher_server_preference
\end{lstlisting}

It is not advisable to restrict the default cipher list for opportunistic encryption as used by SMTP. Do not use cipher lists recommended for HTTPS! If you still want to define one please consult the Exim documentation or ask on the exim-users mailinglist.\\
% Exim maintainers do not recommend to change default ciphers
% We shouldn't, too
%use:
%\begin{lstlisting}[breaklines]
%  tls_require_ciphers = <...recommended ciphersuite...>
%\end{lstlisting}

If you want to request and verify client certificates from sending hosts set
\begin{lstlisting}[breaklines]
  tls_verify_certificates = /etc/pki/tls/certs/ca-bundle.crt
  tls_try_verify_hosts = *
\end{lstlisting}

tls\_try\_verify\_hosts only reports the result to your logfile. If you want to disconnect such clients you have to use
\begin{lstlisting}[breaklines]
  tls_verify_hosts = *
\end{lstlisting}

You do not need to set dh\_parameters. exim with OpenSSL uses a 2048bit default prime defined in section 2.2 of RFC 5114.
If you want to set your own DH parameters please read the TLS documentation of exim.\\

The cipher used is written to the logfiles by default. You may want to add
\begin{lstlisting}[breaklines]
  log_selector = <....whatever your log_selector already contains...> \
   +tls_certificate_verified +tls_peerdn +tls_sni
\end{lstlisting}
to get even more information logged.

\subparagraph*{client mode (outgoing)}\mbox{}\\

Exim uses opportunistic encryption in the SMTP transport by default.

Client mode settings have to be done in the configuration section of the smtp transport (driver = smtp).

If you want to use a client certificate (most server certificates can be used as client certificate, too) set
\begin{lstlisting}[breaklines]
  tls_certificate   = .../cert.pem
  tls_privatekey    = .../cert.key
\end{lstlisting}
This is recommended for MTA-MTA traffic.\\

%If you want to limit used ciphers set
%\begin{lstlisting}[breaklines]
%  tls_require_ciphers = <...recommended ciphersuite...>
%\end{lstlisting}
% Exim Maintainers do not recommend ciphers. We shouldn't do so, too.
Do not limit ciphers without a very good reason. In the worst case you end up without encryption at all instead of some weak encryption. Please consult the Exim documentation if you really need to define ciphers.

\paragraph*{GnuTLS}\mbox{}\\

GnuTLS is different in only some respects to OpenSSL:
\begin{list}{•}{•}
\item tls\_require\_ciphers needs a GnuTLS priority string instead of a cipher list. It is recommended to use the defaults by not defining this option. It highly depends on the version of GnuTLS used. Therefore it is not advisable to change the defaults.
\item There is no option like openssl\_options
\end{list}

\paragraph*{Limit SMTP AUTH to SSL connections only}\mbox{}\\

It is highly recommended to limit SMTP AUTH to SSL connections only. To do so add
\begin{lstlisting}[breaklines]
  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
\end{lstlisting}
to every authenticator defined.

\paragraph*{Exim string expansion}\mbox{}\\

Note that most of the options accept expansion strings. This way you can eg. set cipher lists or STARTTLS advertisment conditionally. Please follow the link to the official Exim documentation to get more information.

\paragraph*{Limitations}\mbox{}\\

Exim currently (4.82) does not support elliptic curves with OpenSSL. This means that ECDHE is not used even if defined in your cipher list.
There already is a working patch to provide support:\\
\url{http://bugs.exim.org/show_bug.cgi?id=1397}

\subsubsection{SMTP: opportunistic TLS}

\todo{write this subsubsection}

% do we need to documment starttls in detail?
%\subsubsection{starttls?}

\subsection{SSH}

\begin{lstlisting}[breaklines]
        RSAAuthentication yes
        PermitRootLogin no
        StrictModes yes
        HostKey /etc/ssh/ssh_host_rsa_key
        Ciphers aes256-ctr
        MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
        KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
\end{lstlisting}

% XXX: curve25519-sha256@libssh.org only available upstream(!)
Note: older linux systems won't support SHA2, PuTTY does not support RIPE-MD160.
\\


\subsection{OpenVPN}

\todo{write this subsection}

\subsection{IPSec}
\todo{write this subsection}

\subsection{PGP/ GPG - Pretty Good Privacy}

\todo{write this subsection -- this is still only a draft!!}
\input{GPG}



%%% Local Variables: 
%%% mode: latex
%%% TeX-master: "applied-crypto-hardening"
%%% End: