search

microsoft / omi

Open Management Infrastructure
Other
367 stars 116 forks source link

Clearer TLS guidance and sslciphersuite examples for omiserver #673

Closed mabicca closed 12 months ago

mabicca commented 4 years ago

Hi Everyone,

Would it be possible to add a few more details to our guidance in regards of TLS 1.2? We have lots of users asking for guidance and it seems to not be as clear as it should and hopefully we could make this experience better.

For users that still have the process listening locally, there is an easy way to check for weak ciphers using this script:

#!/bin/bash
 for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do
 for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
 openssl s_client -connect $1:$2 \
 -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
 done
 done

If you are running it locally you can quickly use the line below (considering you saved the script as openssl-ciphers.sh and made it executable (chmod +x openssl-ciphers):

./openssl-ciphers.sh localhost 5986

In this specific case I added a strong cipher suite option to the omiserver.conf: sslciphersuite=EECDH+AESGCM:EDH+AESGCM

The output of the script shows that omiserver only accepts tls 1.2 and 1.3 and all the ciphers supported:

tls1_2: ECDHE-RSA-AES256-GCM-SHA384
tls1_2: ECDHE-RSA-AES128-GCM-SHA256
tls1_3: TLS_AES_256_GCM_SHA384
tls1_3: TLS_CHACHA20_POLY1305_SHA256
tls1_3: TLS_AES_128_GCM_SHA256
tls1_3: ECDHE-ECDSA-AES256-GCM-SHA384
tls1_3: ECDHE-RSA-AES256-GCM-SHA384
tls1_3: DHE-DSS-AES256-GCM-SHA384
tls1_3: DHE-RSA-AES256-GCM-SHA384
tls1_3: ECDHE-ECDSA-CHACHA20-POLY1305
tls1_3: ECDHE-RSA-CHACHA20-POLY1305
tls1_3: DHE-RSA-CHACHA20-POLY1305
tls1_3: ECDHE-ECDSA-AES256-CCM8
tls1_3: ECDHE-ECDSA-AES256-CCM
tls1_3: DHE-RSA-AES256-CCM8
tls1_3: DHE-RSA-AES256-CCM
tls1_3: ECDHE-ECDSA-ARIA256-GCM-SHA384
tls1_3: ECDHE-ARIA256-GCM-SHA384
tls1_3: DHE-DSS-ARIA256-GCM-SHA384
tls1_3: DHE-RSA-ARIA256-GCM-SHA384
tls1_3: ADH-AES256-GCM-SHA384
tls1_3: ECDHE-ECDSA-AES128-GCM-SHA256
tls1_3: ECDHE-RSA-AES128-GCM-SHA256
tls1_3: DHE-DSS-AES128-GCM-SHA256
tls1_3: DHE-RSA-AES128-GCM-SHA256
tls1_3: ECDHE-ECDSA-AES128-CCM8
tls1_3: ECDHE-ECDSA-AES128-CCM
tls1_3: DHE-RSA-AES128-CCM8
tls1_3: DHE-RSA-AES128-CCM
tls1_3: ECDHE-ECDSA-ARIA128-GCM-SHA256
tls1_3: ECDHE-ARIA128-GCM-SHA256
tls1_3: DHE-DSS-ARIA128-GCM-SHA256
tls1_3: DHE-RSA-ARIA128-GCM-SHA256
tls1_3: ADH-AES128-GCM-SHA256
tls1_3: ECDHE-ECDSA-AES256-SHA384
tls1_3: ECDHE-RSA-AES256-SHA384
tls1_3: DHE-RSA-AES256-SHA256
tls1_3: DHE-DSS-AES256-SHA256
tls1_3: ECDHE-ECDSA-CAMELLIA256-SHA384
tls1_3: ECDHE-RSA-CAMELLIA256-SHA384
tls1_3: DHE-RSA-CAMELLIA256-SHA256
tls1_3: DHE-DSS-CAMELLIA256-SHA256
tls1_3: ADH-AES256-SHA256
tls1_3: ADH-CAMELLIA256-SHA256
tls1_3: ECDHE-ECDSA-AES128-SHA256
tls1_3: ECDHE-RSA-AES128-SHA256
tls1_3: DHE-RSA-AES128-SHA256
tls1_3: DHE-DSS-AES128-SHA256
tls1_3: ECDHE-ECDSA-CAMELLIA128-SHA256
tls1_3: ECDHE-RSA-CAMELLIA128-SHA256
tls1_3: DHE-RSA-CAMELLIA128-SHA256
tls1_3: DHE-DSS-CAMELLIA128-SHA256
tls1_3: ADH-AES128-SHA256
tls1_3: ADH-CAMELLIA128-SHA256
tls1_3: ECDHE-ECDSA-AES256-SHA
tls1_3: ECDHE-RSA-AES256-SHA
tls1_3: DHE-RSA-AES256-SHA
tls1_3: DHE-DSS-AES256-SHA
tls1_3: DHE-RSA-CAMELLIA256-SHA
tls1_3: DHE-DSS-CAMELLIA256-SHA
tls1_3: AECDH-AES256-SHA
tls1_3: ADH-AES256-SHA
tls1_3: ADH-CAMELLIA256-SHA
tls1_3: ECDHE-ECDSA-AES128-SHA
tls1_3: ECDHE-RSA-AES128-SHA
tls1_3: DHE-RSA-AES128-SHA
tls1_3: DHE-DSS-AES128-SHA
tls1_3: DHE-RSA-SEED-SHA
tls1_3: DHE-DSS-SEED-SHA
tls1_3: DHE-RSA-CAMELLIA128-SHA
tls1_3: DHE-DSS-CAMELLIA128-SHA
tls1_3: AECDH-AES128-SHA
tls1_3: ADH-AES128-SHA
tls1_3: ADH-SEED-SHA
tls1_3: ADH-CAMELLIA128-SHA
tls1_3: RSA-PSK-AES256-GCM-SHA384
tls1_3: DHE-PSK-AES256-GCM-SHA384
tls1_3: RSA-PSK-CHACHA20-POLY1305
tls1_3: DHE-PSK-CHACHA20-POLY1305
tls1_3: ECDHE-PSK-CHACHA20-POLY1305
tls1_3: DHE-PSK-AES256-CCM8
tls1_3: DHE-PSK-AES256-CCM
tls1_3: RSA-PSK-ARIA256-GCM-SHA384
tls1_3: DHE-PSK-ARIA256-GCM-SHA384
tls1_3: AES256-GCM-SHA384
tls1_3: AES256-CCM8
tls1_3: AES256-CCM
tls1_3: ARIA256-GCM-SHA384
tls1_3: PSK-AES256-GCM-SHA384
tls1_3: PSK-CHACHA20-POLY1305
tls1_3: PSK-AES256-CCM8
tls1_3: PSK-AES256-CCM
tls1_3: PSK-ARIA256-GCM-SHA384
tls1_3: RSA-PSK-AES128-GCM-SHA256
tls1_3: DHE-PSK-AES128-GCM-SHA256
tls1_3: DHE-PSK-AES128-CCM8
tls1_3: DHE-PSK-AES128-CCM
tls1_3: RSA-PSK-ARIA128-GCM-SHA256
tls1_3: DHE-PSK-ARIA128-GCM-SHA256
tls1_3: AES128-GCM-SHA256
tls1_3: AES128-CCM8
tls1_3: AES128-CCM
tls1_3: ARIA128-GCM-SHA256
tls1_3: PSK-AES128-GCM-SHA256
tls1_3: PSK-AES128-CCM8
tls1_3: PSK-AES128-CCM
tls1_3: PSK-ARIA128-GCM-SHA256
tls1_3: AES256-SHA256
tls1_3: CAMELLIA256-SHA256
tls1_3: AES128-SHA256
tls1_3: CAMELLIA128-SHA256
tls1_3: ECDHE-PSK-AES256-CBC-SHA384
tls1_3: ECDHE-PSK-AES256-CBC-SHA
tls1_3: SRP-DSS-AES-256-CBC-SHA
tls1_3: SRP-RSA-AES-256-CBC-SHA
tls1_3: SRP-AES-256-CBC-SHA
tls1_3: RSA-PSK-AES256-CBC-SHA384
tls1_3: DHE-PSK-AES256-CBC-SHA384
tls1_3: RSA-PSK-AES256-CBC-SHA
tls1_3: DHE-PSK-AES256-CBC-SHA
tls1_3: ECDHE-PSK-CAMELLIA256-SHA384
tls1_3: RSA-PSK-CAMELLIA256-SHA384
tls1_3: DHE-PSK-CAMELLIA256-SHA384
tls1_3: AES256-SHA
tls1_3: CAMELLIA256-SHA
tls1_3: PSK-AES256-CBC-SHA384
tls1_3: PSK-AES256-CBC-SHA
tls1_3: PSK-CAMELLIA256-SHA384
tls1_3: ECDHE-PSK-AES128-CBC-SHA256
tls1_3: ECDHE-PSK-AES128-CBC-SHA
tls1_3: SRP-DSS-AES-128-CBC-SHA
tls1_3: SRP-RSA-AES-128-CBC-SHA
tls1_3: SRP-AES-128-CBC-SHA
tls1_3: RSA-PSK-AES128-CBC-SHA256
tls1_3: DHE-PSK-AES128-CBC-SHA256
tls1_3: RSA-PSK-AES128-CBC-SHA
tls1_3: DHE-PSK-AES128-CBC-SHA
tls1_3: ECDHE-PSK-CAMELLIA128-SHA256
tls1_3: RSA-PSK-CAMELLIA128-SHA256
tls1_3: DHE-PSK-CAMELLIA128-SHA256
tls1_3: AES128-SHA
tls1_3: SEED-SHA
tls1_3: CAMELLIA128-SHA
tls1_3: PSK-AES128-CBC-SHA256
tls1_3: PSK-AES128-CBC-SHA
tls1_3: PSK-CAMELLIA128-SHA256
tls1_3: ECDHE-ECDSA-NULL-SHA
tls1_3: ECDHE-RSA-NULL-SHA
tls1_3: AECDH-NULL-SHA
tls1_3: NULL-SHA256
tls1_3: ECDHE-PSK-NULL-SHA384
tls1_3: ECDHE-PSK-NULL-SHA256
tls1_3: ECDHE-PSK-NULL-SHA
tls1_3: RSA-PSK-NULL-SHA384
tls1_3: RSA-PSK-NULL-SHA256
tls1_3: DHE-PSK-NULL-SHA384
tls1_3: DHE-PSK-NULL-SHA256
tls1_3: RSA-PSK-NULL-SHA
tls1_3: DHE-PSK-NULL-SHA
tls1_3: NULL-SHA
tls1_3: NULL-MD5
tls1_3: PSK-NULL-SHA384
tls1_3: PSK-NULL-SHA256
tls1_3: PSK-NULL-SHA

What I would suggest is to at least add this info in our default omiserver.conf so it's a little bit easier on users on how they should configure it if needed and providing at least one good example:

# sslciphersuite
# The prioritized list of allowed SSL/TLS ciphers.
# For example, set sslciphersuite=ALL:!SSLv2:!SSLv3:!TLSv1:!RC4-MD5:!RC4-SHA:!SEED-SHA in /etc/opt/omi/conf/omiserver.conf to disable
# all SSLv2,SSLv3,TLSv1 ciphers and 3 weak ciphers: RC4-MD5,RC4-SHA,SEED-SHA
# Then run sudo /opt/omi/bin/service_control restart to take effect
# For more information, check man ciphers or search internet with openssl man ciphers
# Example of strong ciphers for TLS 1.2 
#sslciphersuite=EECDH+AESGCM:EDH+AESGCM

Just for reference, these are all the ciphers that are enabled when we are not configuring any specific cipher orders in omiserver.conf:

tls1_2: ECDHE-RSA-AES256-GCM-SHA384
tls1_2: ECDHE-RSA-CHACHA20-POLY1305
tls1_2: ECDHE-RSA-AES128-GCM-SHA256
tls1_2: ECDHE-RSA-AES256-SHA384
tls1_2: ECDHE-RSA-AES128-SHA256
tls1_2: ECDHE-RSA-AES256-SHA
tls1_2: ECDHE-RSA-AES128-SHA
tls1_2: AES256-GCM-SHA384
tls1_2: AES128-GCM-SHA256
tls1_2: AES256-SHA256
tls1_2: AES128-SHA256
tls1_2: AES256-SHA
tls1_2: AES128-SHA
tls1_3: TLS_AES_256_GCM_SHA384
tls1_3: TLS_CHACHA20_POLY1305_SHA256
tls1_3: TLS_AES_128_GCM_SHA256
tls1_3: ECDHE-ECDSA-AES256-GCM-SHA384
tls1_3: ECDHE-RSA-AES256-GCM-SHA384
tls1_3: DHE-DSS-AES256-GCM-SHA384
tls1_3: DHE-RSA-AES256-GCM-SHA384
tls1_3: ECDHE-ECDSA-CHACHA20-POLY1305
tls1_3: ECDHE-RSA-CHACHA20-POLY1305
tls1_3: DHE-RSA-CHACHA20-POLY1305
tls1_3: ECDHE-ECDSA-AES256-CCM8
tls1_3: ECDHE-ECDSA-AES256-CCM
tls1_3: DHE-RSA-AES256-CCM8
tls1_3: DHE-RSA-AES256-CCM
tls1_3: ECDHE-ECDSA-ARIA256-GCM-SHA384
tls1_3: ECDHE-ARIA256-GCM-SHA384
tls1_3: DHE-DSS-ARIA256-GCM-SHA384
tls1_3: DHE-RSA-ARIA256-GCM-SHA384
tls1_3: ADH-AES256-GCM-SHA384
tls1_3: ECDHE-ECDSA-AES128-GCM-SHA256
tls1_3: ECDHE-RSA-AES128-GCM-SHA256
tls1_3: DHE-DSS-AES128-GCM-SHA256
tls1_3: DHE-RSA-AES128-GCM-SHA256
tls1_3: ECDHE-ECDSA-AES128-CCM8
tls1_3: ECDHE-ECDSA-AES128-CCM
tls1_3: DHE-RSA-AES128-CCM8
tls1_3: DHE-RSA-AES128-CCM
tls1_3: ECDHE-ECDSA-ARIA128-GCM-SHA256
tls1_3: ECDHE-ARIA128-GCM-SHA256
tls1_3: DHE-DSS-ARIA128-GCM-SHA256
tls1_3: DHE-RSA-ARIA128-GCM-SHA256
tls1_3: ADH-AES128-GCM-SHA256
tls1_3: ECDHE-ECDSA-AES256-SHA384
tls1_3: ECDHE-RSA-AES256-SHA384
tls1_3: DHE-RSA-AES256-SHA256
tls1_3: DHE-DSS-AES256-SHA256
tls1_3: ECDHE-ECDSA-CAMELLIA256-SHA384
tls1_3: ECDHE-RSA-CAMELLIA256-SHA384
tls1_3: DHE-RSA-CAMELLIA256-SHA256
tls1_3: DHE-DSS-CAMELLIA256-SHA256
tls1_3: ADH-AES256-SHA256
tls1_3: ADH-CAMELLIA256-SHA256
tls1_3: ECDHE-ECDSA-AES128-SHA256
tls1_3: ECDHE-RSA-AES128-SHA256
tls1_3: DHE-RSA-AES128-SHA256
tls1_3: DHE-DSS-AES128-SHA256
tls1_3: ECDHE-ECDSA-CAMELLIA128-SHA256
tls1_3: ECDHE-RSA-CAMELLIA128-SHA256
tls1_3: DHE-RSA-CAMELLIA128-SHA256
tls1_3: DHE-DSS-CAMELLIA128-SHA256
tls1_3: ADH-AES128-SHA256
tls1_3: ADH-CAMELLIA128-SHA256
tls1_3: ECDHE-ECDSA-AES256-SHA
tls1_3: ECDHE-RSA-AES256-SHA
tls1_3: DHE-RSA-AES256-SHA
tls1_3: DHE-DSS-AES256-SHA
tls1_3: DHE-RSA-CAMELLIA256-SHA
tls1_3: DHE-DSS-CAMELLIA256-SHA
tls1_3: AECDH-AES256-SHA
tls1_3: ADH-AES256-SHA
tls1_3: ADH-CAMELLIA256-SHA
tls1_3: ECDHE-ECDSA-AES128-SHA
tls1_3: ECDHE-RSA-AES128-SHA
tls1_3: DHE-RSA-AES128-SHA
tls1_3: DHE-DSS-AES128-SHA
tls1_3: DHE-RSA-SEED-SHA
tls1_3: DHE-DSS-SEED-SHA
tls1_3: DHE-RSA-CAMELLIA128-SHA
tls1_3: DHE-DSS-CAMELLIA128-SHA
tls1_3: AECDH-AES128-SHA
tls1_3: ADH-AES128-SHA
tls1_3: ADH-SEED-SHA
tls1_3: ADH-CAMELLIA128-SHA
tls1_3: RSA-PSK-AES256-GCM-SHA384
tls1_3: DHE-PSK-AES256-GCM-SHA384
tls1_3: RSA-PSK-CHACHA20-POLY1305
tls1_3: DHE-PSK-CHACHA20-POLY1305
tls1_3: ECDHE-PSK-CHACHA20-POLY1305
tls1_3: DHE-PSK-AES256-CCM8
tls1_3: DHE-PSK-AES256-CCM
tls1_3: RSA-PSK-ARIA256-GCM-SHA384
tls1_3: DHE-PSK-ARIA256-GCM-SHA384
tls1_3: AES256-GCM-SHA384
tls1_3: AES256-CCM8
tls1_3: AES256-CCM
tls1_3: ARIA256-GCM-SHA384
tls1_3: PSK-AES256-GCM-SHA384
tls1_3: PSK-CHACHA20-POLY1305
tls1_3: PSK-AES256-CCM8
tls1_3: PSK-AES256-CCM
tls1_3: PSK-ARIA256-GCM-SHA384
tls1_3: RSA-PSK-AES128-GCM-SHA256
tls1_3: DHE-PSK-AES128-GCM-SHA256
tls1_3: DHE-PSK-AES128-CCM8
tls1_3: DHE-PSK-AES128-CCM
tls1_3: RSA-PSK-ARIA128-GCM-SHA256
tls1_3: DHE-PSK-ARIA128-GCM-SHA256
tls1_3: AES128-GCM-SHA256
tls1_3: AES128-CCM8
tls1_3: AES128-CCM
tls1_3: ARIA128-GCM-SHA256
tls1_3: PSK-AES128-GCM-SHA256
tls1_3: PSK-AES128-CCM8
tls1_3: PSK-AES128-CCM
tls1_3: PSK-ARIA128-GCM-SHA256
tls1_3: AES256-SHA256
tls1_3: CAMELLIA256-SHA256
tls1_3: AES128-SHA256
tls1_3: CAMELLIA128-SHA256
tls1_3: ECDHE-PSK-AES256-CBC-SHA384
tls1_3: ECDHE-PSK-AES256-CBC-SHA
tls1_3: SRP-DSS-AES-256-CBC-SHA
tls1_3: SRP-RSA-AES-256-CBC-SHA
tls1_3: SRP-AES-256-CBC-SHA
tls1_3: RSA-PSK-AES256-CBC-SHA384
tls1_3: DHE-PSK-AES256-CBC-SHA384
tls1_3: RSA-PSK-AES256-CBC-SHA
tls1_3: DHE-PSK-AES256-CBC-SHA
tls1_3: ECDHE-PSK-CAMELLIA256-SHA384
tls1_3: RSA-PSK-CAMELLIA256-SHA384
tls1_3: DHE-PSK-CAMELLIA256-SHA384
tls1_3: AES256-SHA
tls1_3: CAMELLIA256-SHA
tls1_3: PSK-AES256-CBC-SHA384
tls1_3: PSK-AES256-CBC-SHA
tls1_3: PSK-CAMELLIA256-SHA384
tls1_3: ECDHE-PSK-AES128-CBC-SHA256
tls1_3: ECDHE-PSK-AES128-CBC-SHA
tls1_3: SRP-DSS-AES-128-CBC-SHA
tls1_3: SRP-RSA-AES-128-CBC-SHA
tls1_3: SRP-AES-128-CBC-SHA
tls1_3: RSA-PSK-AES128-CBC-SHA256
tls1_3: DHE-PSK-AES128-CBC-SHA256
tls1_3: RSA-PSK-AES128-CBC-SHA
tls1_3: DHE-PSK-AES128-CBC-SHA
tls1_3: ECDHE-PSK-CAMELLIA128-SHA256
tls1_3: RSA-PSK-CAMELLIA128-SHA256
tls1_3: DHE-PSK-CAMELLIA128-SHA256
tls1_3: AES128-SHA
tls1_3: SEED-SHA
tls1_3: CAMELLIA128-SHA
tls1_3: PSK-AES128-CBC-SHA256
tls1_3: PSK-AES128-CBC-SHA
tls1_3: PSK-CAMELLIA128-SHA256
tls1_3: ECDHE-ECDSA-NULL-SHA
tls1_3: ECDHE-RSA-NULL-SHA
tls1_3: AECDH-NULL-SHA
tls1_3: NULL-SHA256
tls1_3: ECDHE-PSK-NULL-SHA384
tls1_3: ECDHE-PSK-NULL-SHA256
tls1_3: ECDHE-PSK-NULL-SHA
tls1_3: RSA-PSK-NULL-SHA384
tls1_3: RSA-PSK-NULL-SHA256
tls1_3: DHE-PSK-NULL-SHA384
tls1_3: DHE-PSK-NULL-SHA256
tls1_3: RSA-PSK-NULL-SHA
tls1_3: DHE-PSK-NULL-SHA
tls1_3: NULL-SHA
tls1_3: NULL-MD5
tls1_3: PSK-NULL-SHA384
tls1_3: PSK-NULL-SHA256
tls1_3: PSK-NULL-SHA

A few good references

CipherList TLS 1.2 and 1.3 demystified

JumpingYang001 commented 4 years ago

thanks for sharing it!

mabicca commented 3 years ago

Hi @JumpingYang001 , I was just curious to see if anything will be updated in regards of this request?

Thank you! -Marco

JumpingYang001 commented 3 years ago

Hi @mabicca , thanks for your provided cipher list! but we don't test the list on all supported Linux and Unix platforms and also based-omi products, so it is hard to drive that list into guide.. If you are SCOM/Azure customer, you can create ticket/icm, then the guide might be triggered or updated.

JumpingYang001 commented 1 year ago

@LeoYuAtMicrosoft did you restart omi to take affect to modification? /opt/omi/bin/service_control restart