no need for "\" anymore
[ach-master.git] / src / practical_settings.tex
index cb1ae17..08a4e32 100644 (file)
 \section{Recommendations on practical settings}
 
 
-\subsection{SSL}
-
-%%% NOTE: we do not need to list this all here, can move to an appendix
-%At the time of this writing, SSL is defined in RFCs:  
-%
-%\begin{itemize}
-%\item RFC2246 - TLS1.0                
-%\item RFC3268 - AES           
-%\item RFC4132 - Camelia               
-%\item RFC4162 - SEED          
-%\item RFC4279 - PSK           
-%\item RFC4346 - TLS 1.1               
-%\item RFC4492 - ECC           
-%\item RFC4785 - PSK\_NULL             
-%\item RFC5246 - TLS 1.2               
-%\item RFC5288 - AES\_GCM              
-%\item RFC5289 - AES\_GCM\_SHA2\_ECC           
-%\item RFC5430 - Suite B               
-%\item RFC5487 - GCM\_PSK              
-%\item RFC5489 - ECDHE\_PSK            
-%\item RFC5932 - Camelia               
-%\item RFC6101 - SSL 3.0               
-%\item RFC6209 - ARIA          
-%\item RFC6367 - Camelia               
-%\item RFC6655 - AES\_CCM              
-%\item RFC7027 - Brainpool Curves              
-%\end{itemize}
-
-\subsubsection{Overview of SSL Server settings}
-
-Most Server software (Webservers, Mail servers, etc.) can be configured to prefer certain cipher suites over others. 
-We followed the recommendations by Ivan Ristic's SSL/TLS Deployment Best Practices\footnote{\url{https://www.ssllabs.com/projects/best-practices/index.html}} document (see section 2.2 "Use Secure Protocols") and arrived at a list of recommended cipher suites for SSL enabled servers.
-
-Following Ivan Ristic's adivce we arrived at a categorisation of cipher suites.
-
-\begin{center}
-\begin{tabular}{| l | l | l | l | l|}
-\hline
-& Version   & Key\_Exchange  & Cipher    & MAC       \\ \hline
-\cellcolor{green}prefer  & TLS 1.2   & DHE\_DSS   & AES\_256\_GCM   & SHA384        \\ \hline
-    &   & DHE\_RSA   & AES\_256\_CCM   & SHA256        \\ \hline
-    &   & ECDHE\_ECDSA   & AES\_256\_CBC   &       \\ \hline
-    &   & ECDHE\_RSA &   &       \\ \hline
-    &   &   &   &       \\ \hline
-\cellcolor{orange}consider    & TLS 1.1   & DH\_DSS    & AES\_128\_GCM   & SHA       \\ \hline
-    & TLS 1.0   & DH\_RSA    & AES\_128\_CCM   &       \\ \hline
-    &   & ECDH\_ECDSA    & AES\_128\_CBC   &       \\ \hline
-    &   & ECDH\_RSA  & CAMELLIA\_256\_CBC  &       \\ \hline
-    &   & RSA   & CAMELLIA\_128\_CBC  &       \\ \hline
-    &   &   &   &       \\ \hline
-\cellcolor{red}avoid   
-& SSL 3.0   & NULL  & NULL  & NULL      \\ \hline
-    &   & DH\_anon   & RC4\_128   & MD5       \\ \hline
-    &   & ECDH\_anon & 3DES\_EDE\_CBC  &       \\ \hline
-    &   &   & DES\_CBC   &       \\ \hline
-    &   &   &   &       \\ \hline
-\cellcolor{blue}{\color{white}special }
-&   & PSK   & CAMELLIA\_256\_GCM  &       \\ \hline
-    &   & DHE\_PSK   & CAMELLIA\_128\_GCM  &       \\ \hline
-    &   & RSA\_PSK   & ARIA\_256\_GCM  &       \\ \hline
-    &   & ECDHE\_PSK & ARIA\_256\_CBC  &       \\ \hline
-    &   &   & ARIA\_128\_GCM  &       \\ \hline
-    &   &   & ARIA\_128\_CBC  &       \\ \hline
-    &   &   & SEED  &       \\ \hline
-\end{tabular}
-\end{center}
-
-A remark on the ``consider'' section: the BSI (Federal office for information security, Germany) recommends in its technical report TR-02102-2\footnote{\url{https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html}} to \textbf{avoid} non-ephemeral\footnote{ephemeral keys are session keys which are destroyed upon termination of the encrypted session. In TLS/SSL, they are realized by the DHE cipher suites. } keys for any communication which might contain personal or sensitive data. In this document, we follow BSI's advice and therefore only keep cipher suites containing (EC)DH\textbf{E} (ephemeral) variants. System administrators, who can not use forward secrecy can still use the cipher suites in the ``consider'' section. We however, do not recommend them in this document.
-
-%% NOTE: s/forward secrecy/perfect forward secrecy???
-
-Note that the entries marked as ``special'' are cipher suites which are not common to all clients (webbrowsers etc).
-
-
-\subsubsection{Tested clients}
-Next we tested the cipher suites above on the following clients:
-
-%% NOTE: we need to test with more systems!!
-\begin{itemize}
-\item Chrome 30.0.1599.101 Mac OS X 10.9
-\item Safari 7.0 Mac OS X 10.9
-\item Firefox 25.0 Mac OS X 10.9
-\item Internet Explorer 10 Windows 7
-\item Apple iOS 7.0.3
-\end{itemize}
-
-
-The result of testing the cipher suites with these clients gives us a preference order as shown in table \ref{table:prefOrderCipherSuites}. 
-Should a client not be able to use a specific cipher suite, it will fall back to the next possible entry as given by the ordering.
-
-\begin{center}
-\begin{table}[h]
-\small
-    \begin{tabular}{|l|l|l|l|l|}
-    \hline
-    Pref & Cipher Suite                                   & ID         & Browser                     \\ \hline
-    1    & TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384    &     0x009f & OpenSSL command line client \\ \hline
-    2    & TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 &     0xC024 & Safari                      \\ \hline
-    3    & TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384   &     0xC028 & Safari                      \\ \hline
-    4    & TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256     &     0x006B & Safari, Chrome              \\ \hline
-    5    & TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA    &     0xC00A & Safari, Chrome, Firefox, IE \\ \hline
-    6    & TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA      &     0xC014 & Safari, Chrome, Firefox, IE \\ \hline
-    7    & TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA        &     0x0039 & Safari, Chrome, Firefox     \\ \hline
-    8    & TLS\_DHE\_DSS\_WITH\_AES\_256\_CBC\_SHA        &     0x0038 & Firefox, IE                 \\ \hline
-    9    & TLS\_DHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0088 & Firefox                     \\ \hline
-    10   & TLS\_DHE\_DSS\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0087 & Firefox                     \\ \hline
-    \end{tabular}
-\caption{Preference order of cipher suites}
-\label{table:prefOrderCipherSuites}
-\end{table}
-\end{center}
-
-
-Table \ref{table:prefOrderOpenSSLNames} shows the same data again with specifying the corresponding OpenSSL name.
-
-\begin{center}
-\begin{table}[h]
-\small
-    \begin{tabular}{|l|l|l|}
-    \hline
-    Cipher Suite                                   & ID         & OpenSSL Name                  \\ \hline
-    TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384     &    0x009f &         DHE-RSA-AES256-GCM-SHA384 \\ \hline
-    TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 &     0xC024 &     ECDHE-ECDSA-AES256-SHA384 \\ \hline
-    TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384   &     0xC028 &     ECDHE-RSA-AES256-SHA384   \\ \hline
-    TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256     &     0x006B &     DHE-RSA-AES256-SHA256     \\ \hline
-    TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA    &     0xC00A &     ECDHE-ECDSA-AES256-SHA    \\ \hline
-    TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA      &     0xC014 &     ECDHE-RSA-AES256-SHA      \\ \hline
-    TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA        &     0x0039 &     DHE-RSA-AES256-SHA        \\ \hline
-    TLS\_DHE\_DSS\_WITH\_AES\_256\_CBC\_SHA        &     0x0038 &     DHE-DSS-AES256-SHA        \\ \hline
-    TLS\_DHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0088 &     DHE-RSA-CAMELLIA256-SHA   \\ \hline
-    TLS\_DHE\_DSS\_WITH\_CAMELLIA\_256\_CBC\_SHA   &     0x0087 &     DHE-DSS-CAMELLIA256-SHA   \\ \hline
-    \end{tabular}
-\caption{Preference order of cipher suites, with OpenSSL names}
-\label{table:prefOrderOpenSSLNames}
-\end{table}
-\end{center}
-
-Note: the tables \ref{table:prefOrderOpenSSLNames} and \ref{table:prefOrderCipherSuites} contain Elliptic curve key exchanges. There are currently strong doubts\footnote{\url{http://safecurves.cr.yp.to/rigid.html}} concerning ECC.
-If unsure, remove the cipher suites starting with ECDHE in the table above.
-
-
-Based on this ordering, we can now define the corresponding settings for servers. We will start with the most common web servers
+\subsection{Webservers}
 
 \subsubsection{Apache}
 
-Note: a "\textbackslash" (backslash) denotes a line continuation which was wrapped due to formatting reasons here. Do not copy it verbatim.
+
 
 %-All +TLSv1.1 +TLSv1.2
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
   SSLProtocol All -SSLv2 -SSLv3 
   SSLHonorCipherOrder On
   SSLCompression off
@@ -160,61 +18,84 @@ Note: a "\textbackslash" (backslash) denotes a line continuation which was wrapp
   # ALL subdomains HAVE TO support https if you use this!
   # Strict-Transport-Security: max-age=15768000 ; includeSubDomains
 
-  SSLCipherSuite  DHE+AESGCM:\
-    ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
-    DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
-    ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:\
-    DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:\
-    DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:!MD5:!DSS
-\end{verbatim}
+  SSLCipherSuite 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
+\end{lstlisting}
 
 Note again, that any cipher suite starting with ECDHE  can be omitted in case of doubt.
 %% XXX NOTE TO SELF: remove from future automatically generated lists!
 
 You should redirect everything to httpS:// if possible. In Apache you can do this with the following setting inside of a VirtualHost environment:
 
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
   <VirtualHost *:80>
    #...
    RewriteEngine On
         RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=permanent]
    #...
   </VirtualHost>
-\end{verbatim}
+\end{lstlisting}
 
 %XXXX   ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
 
 
+\subsubsection{lighttpd}
+
+
+
+%% Note: need to be checked / reviewed
+
+%% Complete ssl.cipher-list with same algo than Apache
+%% Currently this is only the default proposed lighttpd config for SSL
+\begin{lstlisting}[breaklines]
+  $SERVER["socket"] == "0.0.0.0:443" {
+    ssl.engine  = "enable"
+    ssl.use-sslv2 = "disable"
+    ssl.use-sslv3 = "disable"
+    ssl.use-compression = "disable"
+    ssl.pemfile = "/etc/lighttpd/server.pem"
+    ssl.cipher-list = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
+    ssl.honor-cipher-order = "enable"
+  }
+\end{lstlisting}
+
+As for any other webserver, you should redirect automatically http traffic toward httpS:\footnote{That proposed configuration is directly coming from lighttpd documentation: \url{http://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps}}
+
+\begin{lstlisting}[breaklines]
+  $HTTP["scheme"] == "http" {
+    # capture vhost name with regex conditiona -> %0 in redirect pattern
+    # must be the most inner block to the redirect rule
+    $HTTP["host"] =~ ".*" {
+        url.redirect = (".*" => "https://%0$0")
+    }
+  }
+\end{lstlisting}
 
 \subsubsection{nginx}
 
-\begin{verbatim}
+
+
+\begin{lstlisting}[breaklines]
   ssl_prefer_server_ciphers on;
   ssl_protocols -SSLv2 -SSLv3; 
-  ssl_ciphers DHE+AESGCM:\
-    ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
-    DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
-    ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:\
-    DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:\
-    DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:!MD5:!DSS;
+  ssl_ciphers 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA';
   add_header Strict-Transport-Security max-age=2592000;
   add_header X-Frame-Options DENY;
-\end{verbatim}
+\end{lstlisting}
 
 %% XXX FIXME: do we need to specify dhparams? Parameter: ssl_dhparam = file. See: http://wiki.nginx.org/HttpSslModule#ssl_protocols
 
 
 If you decide to trust NIST's ECC curve recommendation, you can add the following line to nginx's configuration file to select special curves:
 
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
   ssl_ecdh_curve          sect571k1;
-\end{verbatim}
+\end{lstlisting}
 
 You should redirect everything to httpS:// if possible. In Nginx you can do this with the following setting:
 
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
   rewrite     ^(.*)   https://$host$1 permanent;
-\end{verbatim}
+\end{lstlisting}
 
 %\subsubsection{openssl.conf settings}
 
@@ -223,6 +104,8 @@ You should redirect everything to httpS:// if possible. In Nginx you can do this
 \subsubsection{MS IIS}
 \label{sec:ms-iis}
 
+
+
 When trying to avoid RC4 and CBC (BEAST-Attack) and requiring perfect
 forward secrecy, Microsoft Internet Information Server (IIS) supports
 ECDSA, but does not support RSA for key exchange (consider ECC suite
@@ -291,30 +174,31 @@ Not supported Clients:
 \end{enumerate}
 
 
-
+\subsection{Mail and POP/IMAP Servers}
 \subsubsection{Dovecot}
 
+
+
 Dovecot 2.2:
 
 % Example: http://dovecot.org/list/dovecot/2013-October/092999.html
 
-\begin{verbatim}
-  ssl_cipher_list = DHE+AESGCM:\
-    ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
-    DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
-    ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:\
-    DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:\
-    DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:!MD5:!DSS
+\begin{lstlisting}[breaklines]
+  ssl_cipher_list = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
   ssl_prefer_server_ciphers = yes
-\end{verbatim}
+\end{lstlisting}
 
 Dovecot 2.1: Almost as good as dovecot 2.2. Does not support ssl\_prefer\_server\_ciphers
 
 
 \subsubsection{Cyrus}
 
+\todo{write this subsubsection}
+
 \subsubsection{UW}
 
+\todo{write this subsubsection}
+
 Another option to secure IMAPs servers is to place them behind an stunnel server. 
 
 % XXX config von Adi?
@@ -325,32 +209,52 @@ Another option to secure IMAPs servers is to place them behind an stunnel server
 
 \subsubsection{Postfix}
 
+
+
 First, you need to generate Diffie Hellman parameters (please first take a look at the section \ref{section:PRNG}):
 
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
   % openssl gendh -out /etc/postfix/dh_param_512.pem -2 512
   % openssl gendh -out /etc/postfix/dh_param_1024.pem -2 1024
-\end{verbatim}
+\end{lstlisting}
 
 Next, we specify these DH parameters in the postfix config file:
 
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
   smtpd_tls_dh512_param_file = /etc/postfix/dh_param_512.pem
   smtpd_tls_dh1024_param_file = /etc/postfix/dh_param_1024.pem
-  smtpd_tls_protocols = !SSLv2, !SSLv3
+\end{lstlisting}
+
+You usually don't want restrictions on the ciphers for opportunistic
+encryption, because any encryption is better than plain text. 
+
+For submission (Port 587) or other special cases, however, you want to
+enforce strong encryption. In addition to the below entries in
+main.cf, you need to enable ``mandatory`` encryption for the
+respective service, e.g. by adding ``-o
+smtpd\_tls\_security\_level=encrypt'' to the submission smtpd in
+master.cf.
+
+% don't -- this influences opportunistic encryption
+%  smtpd_tls_protocols = !SSLv2, !SSLv3
+
+\begin{lstlisting}[breaklines]
   smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+  tls_ssl_options=NO_COMPRESSION
+  smtpd_tls_mandatory_ciphers=high
+  tls_high_cipherlist='EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
   tls_preempt_cipherlist = yes
   tls_random_source = dev:/dev/urandom         
     %% NOTE: might want to have /dev/random here + Haveged
-\end{verbatim}
+\end{lstlisting}
   
 For those users, who want to use ECC key exchange, it is possible to specify this via:
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
   smtpd_tls_eecdh_grade = ultra
-\end{verbatim}
+\end{lstlisting}
 
 You can check the settings by specifying  smtpd\_tls\_loglevel = 1 and then check the selected ciphers with the following command:
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
 $ zegrep "TLS connection established from.*with cipher" /var/log/mail.log | \
 > awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n
       1 SSLv3 with cipher DHE-RSA-AES256-SHA
@@ -358,17 +262,20 @@ $ zegrep "TLS connection established from.*with cipher" /var/log/mail.log | \
      60 TLSv1 with cipher ECDHE-RSA-AES256-SHA
     270 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
     335 TLSv1 with cipher DHE-RSA-AES256-SHA
-\end{verbatim}
+\end{lstlisting}
 
 Source: \url{http://www.postfix.org/TLS_README.html}
 
 \subsubsection{SMTP: opportunistic TLS}
+
+\todo{write this subsubsection}
+
 % do we need to documment starttls in detail?
 %\subsubsection{starttls?}
 
 \subsection{SSH}
 
-\begin{verbatim}
+\begin{lstlisting}[breaklines]
        RSAAuthentication yes
        PermitRootLogin no
        StrictModes yes
@@ -376,19 +283,22 @@ Source: \url{http://www.postfix.org/TLS_README.html}
        Ciphers aes256-ctr
        MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
        KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
-\end{verbatim}
+\end{lstlisting}
 
 % XXX: curve25519-sha256@libssh.org only available upstream(!)
 Note: older linux systems won't support SHA2, PuTTY does not support RIPE-MD160.
 
 \subsection{OpenVPN}
 
+\todo{write this subsection}
+
 \subsection{IPSec}
+\todo{write this subsection}
 
 \subsection{PGP}
 
-\subsection{PRNG settings}
-\label{section:PRNG}
+\todo{write this subsection}
+
 
 
 %%% Local Variables: