add nginx settings
[ach-master.git] / src / practical_settings.tex
index 56d37af..d721730 100644 (file)
 
 
 \subsection{SSL}
-\subsubsection{apache}
+
+%%% NOTE: we do not need to list this all here, can move to an appendix
+%At the time of this writing, SSL is defined in RFCs:  
+%
+%\begin{itemize}
+%\item RFC2246 - TLS1.0                
+%\item RFC3268 - AES           
+%\item RFC4132 - Camelia               
+%\item RFC4162 - SEED          
+%\item RFC4279 - PSK           
+%\item RFC4346 - TLS 1.1               
+%\item RFC4492 - ECC           
+%\item RFC4785 - PSK\_NULL             
+%\item RFC5246 - TLS 1.2               
+%\item RFC5288 - AES\_GCM              
+%\item RFC5289 - AES\_GCM\_SHA2\_ECC           
+%\item RFC5430 - Suite B               
+%\item RFC5487 - GCM\_PSK              
+%\item RFC5489 - ECDHE\_PSK            
+%\item RFC5932 - Camelia               
+%\item RFC6101 - SSL 3.0               
+%\item RFC6209 - ARIA          
+%\item RFC6367 - Camelia               
+%\item RFC6655 - AES\_CCM              
+%\item RFC7027 - Brainpool Curves              
+%\end{itemize}
+
+\subsubsection{Overview of SSL Server settings}
+
+Most Server software (Webservers, Mail servers, etc.) can be configured to prefer certain cipher suites over others. 
+We followed the recommendations by Ivan Ristic's SSL/TLS Deployment Best Practices\footnote{\url{https://www.ssllabs.com/projects/best-practices/index.html}} document (see section 2.2 "Use Secure Protocols") and arrived at a list of recommended cipher suites for SSL enabled servers.
+
+The results of following his adivce is a categorisation of cipher suites.
+
+\begin{center}
+\begin{tabular}{| l | l | l | l | l|}
+\hline
+& Version   & Key\_Exchange  & Cipher    & MAC       \\ \hline
+\cellcolor{green}prefer  & TLS 1.2   & DHE\_DSS   & AES\_256\_GCM   & SHA384        \\ \hline
+    &   & DHE\_RSA   & AES\_256\_CCM   & SHA256        \\ \hline
+    &   & ECDHE\_ECDSA   & AES\_256\_CBC   &       \\ \hline
+    &   & ECDHE\_RSA &   &       \\ \hline
+    &   &   &   &       \\ \hline
+\cellcolor{orange}consider    & TLS 1.1   & DH\_DSS    & AES\_128\_GCM   & SHA       \\ \hline
+    & TLS 1.0   & DH\_RSA    & AES\_128\_CCM   &       \\ \hline
+    &   & ECDH\_ECDSA    & AES\_128\_CBC   &       \\ \hline
+    &   & ECDH\_RSA  & CAMELLIA\_256\_CBC  &       \\ \hline
+    &   & RSA   & CAMELLIA\_128\_CBC  &       \\ \hline
+    &   &   &   &       \\ \hline
+\cellcolor{red}avoid   
+& SSL 3.0   & NULL  & NULL  & NULL      \\ \hline
+    &   & DH\_anon   & RC4\_128   & MD5       \\ \hline
+    &   & ECDH\_anon & 3DES\_EDE\_CBC  &       \\ \hline
+    &   &   & DES\_CBC   &       \\ \hline
+    &   &   &   &       \\ \hline
+\cellcolor{blue}{\color{white}special }
+&   & PSK   & CAMELLIA\_256\_GCM  &       \\ \hline
+    &   & DHE\_PSK   & CAMELLIA\_128\_GCM  &       \\ \hline
+    &   & RSA\_PSK   & ARIA\_256\_GCM  &       \\ \hline
+    &   & ECDHE\_PSK & ARIA\_256\_CBC  &       \\ \hline
+    &   &   & ARIA\_128\_GCM  &       \\ \hline
+    &   &   & ARIA\_128\_CBC  &       \\ \hline
+    &   &   & SEED  &       \\ \hline
+\end{tabular}
+\end{center}
+
+A remark on the ``consider'' section: the BSI (Bundesamt f\"ur Sicherheit in der Informationstechnik, Germany) recommends in its technical report TR-02102-2\footnote{\url{https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html}} to \textbf{avoid} non-ephemeral\footnote{ephemeral keys are session keys which are destroyed upon termination of the encrypted session. In TLS/SSL, they are realized by the DHE cipher suites. } keys for any communication which might contain personal or sensitive data. In this document, we follow BSI's advice and therefore only keep cipher suites containing (EC)DH\textbf{E} variants. System administrators, who can not use forward secrecy can still use the cipher suites in the consider section. We however, do not recommend them in this document.
+
+%% NOTE: s/forward secrecy/perfect forward secrecy???
+
+Note that the entries marked as "special" are cipher suites which are not common to all clients (webbrowsers etc).
+
+
+\subsubsection{Client recommendations}
+Next we tested the cipher suites above on the following clients:
+
+\begin{itemize}
+\item Chrome 30.0.1599.101 Mac OS X 10.9
+\item Safari 7.0 Mac OS X 10.9
+\item Firefox 25.0 Mac OS X 10.9
+\item Internet Explorer 10 Windows 7
+\item Apple iOS 7.0.3
+\end{itemize}
+
+
+The result of testing the cipher suites with these clients gives us a preference order as shown in table \ref{table:prefOrderCipherSuites}. 
+Should a client not be able to use a specific cipher suite, it will fall back to the next possible entry as given by the ordering.
+
+\begin{center}
+\begin{table}[h]
+\small
+    \begin{tabular}{|l|l|l|l|l|}
+    \hline
+    Pref & Cipher Suite                                   & ID         & Browser                     \\ \hline
+    1    & TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384    &     0x009f & OpenSSL command line client \\ \hline
+    2    & TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 &     0xC024 & Safari                      \\ \hline
+    3    & TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384   &     0xC028 & Safari                      \\ \hline
+    4    & TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256     &     0x006B & Safari, Chrome              \\ \hline
+    5    & TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA    &     0xC00A & Safari, Chrome, Firefox, IE \\ \hline
+    6    & TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA      &     0xC014 & Safari, Chrome, Firefox, IE \\ \hline
+    7    & TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA        &     0x0039 & Safari, Chrome, Firefox     \\ \hline
+    8    & TLS\_DHE\_DSS\_WITH\_AES\_256\_CBC\_SHA        &     0x0038 & Firefox, IE                 \\ \hline
+    9    & TLS\_DHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0088 & Firefox                     \\ \hline
+    10   & TLS\_DHE\_DSS\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0087 & Firefox                     \\ \hline
+    \end{tabular}
+\caption{Preference order of cipher suites}
+\label{table:prefOrderCipherSuites}
+\end{table}
+\end{center}
+
+
+Table \ref{table:prefOrderOpenSSLNames} shows the same data again with specifying the corresponding OpenSSL name.
+
+\begin{center}
+\begin{table}[h]
+\small
+    \begin{tabular}{|l|l|l|}
+    \hline
+    Cipher Suite                                   & ID         & OpenSSL Name                  \\ \hline
+    TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384     &    0x009f &         DHE-RSA-AES256-GCM-SHA384 \\ \hline
+    TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 &     0xC024 &     ECDHE-ECDSA-AES256-SHA384 \\ \hline
+    TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384   &     0xC028 &     ECDHE-RSA-AES256-SHA384   \\ \hline
+    TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256     &     0x006B &     DHE-RSA-AES256-SHA256     \\ \hline
+    TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA    &     0xC00A &     ECDHE-ECDSA-AES256-SHA    \\ \hline
+    TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA      &     0xC014 &     ECDHE-RSA-AES256-SHA      \\ \hline
+    TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA        &     0x0039 &     DHE-RSA-AES256-SHA        \\ \hline
+    TLS\_DHE\_DSS\_WITH\_AES\_256\_CBC\_SHA        &     0x0038 &     DHE-DSS-AES256-SHA        \\ \hline
+    TLS\_DHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0088 &     DHE-RSA-CAMELLIA256-SHA   \\ \hline
+    TLS\_DHE\_DSS\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0087 &     DHE-DSS-CAMELLIA256-SHA   \\ \hline
+    \end{tabular}
+\caption{Preference order of cipher suites, with OpenSSL names}
+\label{table:prefOrderOpenSSLNames}
+\end{table}
+\end{center}
+
+Note: the tables \ref{table:prefOrderOpenSSLNames} and \ref{table:prefOrderCipherSuites} contains Eliptic curve key exchanges. There are currently strong doubts\footnote{\url{http://safecurves.cr.yp.to/rigid.html}} concerning ECC.
+If unsure, remove the cipher suites starting with ECDHE in the table above.
+
+
+Based on this ordering, we can now define the corresponding settings for servers. We will start with the most common web servers
+
+\subsubsection{Apache}
+
+Note: a "\textbackslash" (backslash) denotes a line continuation which was wrapped due to formatting reasons here. Do not copy it verbatim.
+
+%-All +TLSv1.1 +TLSv1.2
+\begin{verbatim}
+  SSLProtocol All -SSLv2 -SSLv3 
+  SSLHonorCipherOrder On
+  SSLCompression off
+  # Add six earth month HSTS header for all users...
+  Header add Strict-Transport-Security "max-age=15768000"
+  # If you want to protect all subdomains, use the following header
+  # Strict-Transport-Security: max-age=15768000 ; includeSubDomains
+
+  SSLCipherSuite  DHE+AESGCM:\
+    ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
+    DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
+    ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:\
+    DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:\
+    DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:!MD5:!DSS
+\end{verbatim}
+
+Note again, that any cipher suite starting with ECDHE  can be omitted in case of doubt.
+%% XXX NOTE TO SELF: remove from future automatically generated lists!
+
+%XXXX   ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
+
+
+
 \subsubsection{nginx}
-\subsubsection{Overview of different SSL libraries: gnutls vs. openssl vs. others}
+
+\begin{verbatim}
+  ssl_prefer_server_ciphers on;
+  ssl_protocols All -SSLv2 -SSLv3; 
+  ssl_ciphers DHE+AESGCM:\
+    ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
+    DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
+    ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:\
+    DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:\
+    DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:!MD5:!DSS;
+  add_header Strict-Transport-Security max-age=2592000;
+  add_header                X-Frame-Options DENY
+\end{verbatim}
+
+If you decide to trust NIST's ECC curve recommendation, you can add the following line to nginx's configuration file to select special curves:
+
+\begin{verbatim}
+  ssl_ecdh_curve          sect571k1;
+\end{verbatim}
+
 \subsubsection{openssl.conf settings}
 
+%\subsubsection{Differences in SSL libraries: gnutls vs. openssl vs. others}
+
+\subsubsection{IMAPS}
+\subsubsection{Postfix}
+\subsubsection{SMTP: opportunistic TLS}
+% do we need to documment starttls in detail?
+%\subsubsection{starttls?}
+
 \subsection{SSH}
 
+\subsection{OpenVPN}
+
+\subsection{IPSec}
+
 \subsection{PGP}
 
 \subsection{PRNG settings}
+