search

FOGProject / fogproject

An open source computer cloning & management system
https://fogproject.org
GNU General Public License v3.0
1.14k stars 222 forks source link

Apache SSL Configuration #366

Closed astrugatch closed 2 months ago

astrugatch commented 4 years ago

Apache SSL configuration should be update to support TLS1.2 at minimum and no old suites.

https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.4

Sebastian-Roth commented 4 years ago

Good point. As mentioned in the forums we need to do testing: fog-client, iPXE boot, storage node setups (php-curl)...

Sebastian-Roth commented 4 years ago

@astrugatch Just wondering if you'd help us test these settings to make sure all FOG does is still running proerly with the settings suggested in the forums:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
astrugatch commented 4 years ago

@Sebastian-Roth Normally I would say absolutely. But we are a school district and completely closed. Even if I made the changes I couldn't test thoroughly right now as we don't have any active clients on the network.

Sebastian-Roth commented 4 years ago

@astrugatch Sure, I see that situation prevents you from doing so right now. We'll see in a few weeks how things evolve. Thanks for your quick answer.

astrugatch commented 4 years ago

You know what. I just realized I have a few VMs that are enrolled, on, and now unnecessary due to state testing being canceled. I’ll snapshot my fog install and test this a little later.

astrugatch commented 4 years ago

Only had a few minutes to test. Web UI still worked, but pxe with undionly.kpxe failed (the only machine I had access to that was enrolled is a BIOS VM). Didn't have enough time to test the client.

Screen Shot 2020-03-27 at 8 17 13 PM
Sebastian-Roth commented 4 years ago

@astrugatch Sorry I never got the time to take a closer look at this. Have you figured out why it errors out using your HTTPS config?

astrugatch commented 4 years ago

@Sebastian-Roth No. We are still working remotely and the only devices that can pxe onsite that I can remotely access are Xen VMs that are hit and miss with PXE at best so I didn’t think they were suitable tests.

Normally I would spin up some tests at home but I have my kids home and can barely get my work done as is.

astrugatch commented 4 years ago

Got to spin up a test really quickly at home. Found a few things.

1) The PXE failure is caused by the (Mozilla's)selection of CipherSuite. Haven't dug into exactly the cause yet, but that's definitely the line 2) SSLProtocol can actually just be set to TLSv1.3 not "all -SSLv3" etc. as an aside SSLv2 isn't even an option in Apache anymore so the "-SSLv2" can be removed from the config regardless. This is assuming folks are using a modern browser, which honestly I don't see the reason people wouldn't be.

astrugatch commented 4 years ago

@Sebastian-Roth

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 OR simply TLSv1.3 SSLHonorCipherOrder off SSLSessionTickets off

This config works fine with both PXE and web UI in my limited testing. Going to TLSv1.3 only negates the need for specifying ciphersuite.

https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.4

Sebastian-Roth commented 4 years ago

@astrugatch Thanks for the update! Have you tested the fog-client with that setup yet? As well storage node setup (replication, ...) would be important to test.

As we are working on a release candidate at the moment I would argue against adding this to the latest dev-branch code. It's got too many consequences that we might not be able to test thoroughly while focusing on the RC work.

@mastacontrola Shall we add this to FOG working-1.6 to be included in the branch of development?

astrugatch commented 4 years ago

@Sebastian-Roth I will make a client machine later and see how that goes. I will have to spin up another VM to test replication.

astrugatch commented 4 years ago

@Sebastian-Roth

And of course I am getting different results today. I am going to try an test more in depth to see where my issue is.

astrugatch commented 4 years ago

This will probably need to be put on hold. Talked to some folks at iPXE and this will be the limiting factor. Currently iPXE doesn’t support the most current ssl configs.

Sebastian-Roth commented 3 years ago

@astrugatch Hi, hope you are doing fine. Just found this issue report and was wondering what to do with it. Do you find the time to look into that again?

astrugatch commented 3 years ago

My role changed last year and our windows footprint has gotten smaller so I have not been managing our FOG install anymore. It’s there but I haven’t gotten to look closer at this. As I recall the last I found was that the more restrictive settings weren’t supported by IPXE so if this is something the FOG team is going to pursue that would be the thread to pull on to see if they’ve updated support for TLS 1.2 and 1.3

Sebastian-Roth commented 2 years ago

@astrugatch Just wondering if you are back to FOG and would find some time to test this before we merge it into the official code.

astrugatch commented 2 years ago

I am back on site and using FOG again (though my Windows footprint keeps shrinking). I can snapshot my VM and give this config a test maybe early next week.

astrugatch commented 2 years ago

Just to confirm is this the config we are testing (its been a while):

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Sebastian-Roth commented 2 years ago

If that's what you get from https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.4 then I would say yes. Don't worry about the apache version as those two parameters shouldn't depend on the apache version at all.

astrugatch commented 2 years ago

This seems to break pxe boot. Not sure what the issue is. I know my install has been upgraded in place a bunch and migrated between hosts so I don't always trust my results on this system. I want to do a clean install on a fresh VM to really put the config through it's paces. I am going to spin up a VM on my homelab so I don't need to mess with my production server so much. I'm gonna try to do that over the weekend.

astrugatch commented 2 years ago

With the exact config Web UI - Is good PXE fails to boot. Didn't test the client as failed PXE is kinda a non starter. Im going to just change SSL Protocol and see if I can tune the cipher suite to it's best available option. Gonna work off this list https://ipxe.org/crypto

astrugatch commented 2 years ago

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

This is good for WebUI and and PXE. Testing Client now.

Sebastian-Roth commented 2 years ago

@astrugatch You need to use the "fixed-tls" 0.12.0 version or the latest 0.12.1 I think. Otherwise it won't work I am sure.

PXE fails to boot.

Hmmm, looks like iPXE's crypto implementation needs an update to support modern cipher suites. Not something we have our hands on.

astrugatch commented 2 years ago

@Sebastian-Roth

Their supported ciphers are: RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA, and RSA_WITH_AES_128_CBC_SHA

I'm going to try including only the highest and add it to the list of supported ciphers from Mozilla and see how that goes for PXE.

Haven't gotten a base machine set up yet to test the client.

Sebastian-Roth commented 2 years ago

@astrugatch Did you get to test this yet?

astrugatch commented 2 years ago

@Sebastian-Roth Unfortunately work and home have gotten busy again. I want to contribute but I don’t have the time to dedicate to setting up a test environment and I no longer manage the prod environment (moved from sysadmin to management).

darksidemilk commented 2 months ago

@astrugatch

We recently updated the default ciphers in 1.6 (and I believe this is in the latest stable version too)

SSLEngine On
    SSLProtocol -all +TLSv1.2
    SSLCipherSuite HIGH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:!MEDIUM:!LOW
    SSLHonorCipherOrder Off
    SSLSessionTickets Off
We utilized https://ssl-config.mozilla.org and modified the recommendations for our versions slightly by making TLS 1.2 the only protocol and made 'HIGH' the default suite selection and added exclusions of any "medium" or "low" security ciphers at the end of the list.

I have tested this with pxe boot and didn't have an issue.

Let me know if you feel like this is enough to close this out. If we don't here anything we'll go ahead and close this.