search

pki-bot / pki-issues-final

0 stars 0 forks source link

Server should support more TLS ciphers #1987

Open pki-bot opened 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #2438. Originally filed by cheimes (@tiran) on 2016-08-15 15:26:23:

Current pki-server-10.3.3-1.fc24 supports only AES128-SHA and AES256-SHA as TLS ciphers on port 8443. Neither AES in CBC mode nor SHA1 are state of the art. The cipher suite also lacks PFS (ephemeral DH/ECDH for key agreement).

I also like to point out that the current configuration of tomcatjss is rather confusing and hard to read. The connector config contains obsolete and unnecessary options. The options sslOptions, ssl2Ciphers and tlsCiphers are deprecated and ignored in present of sslVersionRangeStream.

https://svn.fedorahosted.org/svn/tomcatjss/trunk/tomcatjss/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java

    /*
     * note: the SSL_OptionSet-based API for controlling the enabled protocol
     * versions are obsolete and replaced by the setSSLVersionRange calls. If
     * the "range" parameters are present in the attributes then the sslOptions
     * parameter is ignored.
     */
    public void setSSLOptions() throws SocketException, IOException {

The new option sslRangeCiphers lists several ciphers with - prefix. With strictCiphers="true" it is not required to exclude any ciphers. With strict ciphers all ciphers are disabled by default. So only explicitly enabled ciphers are available.

sslscan output

$ sslscan  master.ipa.example:8443
Version: 1.11.7
OpenSSL 1.0.2h-fips  3 May 2016

OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected

Testing SSL server master.ipa.example on port 8443

  TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Preferred TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Preferred TLSv1.0  128 bits  AES128-SHA                   
Accepted  TLSv1.0  256 bits  AES256-SHA                   

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  master.ipa.example
Issuer:   Certificate Authority

Not valid before: Aug 15 12:37:17 2016 GMT
Not valid after:  Aug  5 12:37:17 2018 GMT

(Note: sslscan from https://koji.fedoraproject.org/koji/taskinfo?taskID=15234102 / https://github.com/tiran/sslscan/releases/tag/1.11.8-tiran )

/etc/pki/pki-tomcat/server.xml

    <Connector name="Secure"
           ...
           strictCiphers="true"
           clientAuth="want"
           sslOptions="ssl2=false,ssl3=false,tls=true"
           ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
           ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
           tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
           sslVersionRangeStream="tls1_0:tls1_2"
           sslVersionRangeDatagram="tls1_1:tls1_2"
           sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
           ...
           />

suggestion

A good list of cipher should include:

pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2016-08-15 15:37:34

Please note that my config has different values than the QA test in https://bugzilla.redhat.com/show_bug.cgi?id=871171#c41 e.g. -TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 in my config but +TLS_ECDH_RSA_WITH_AES_128_GCM_SHA25 in comment 41.

pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2016-08-15 17:00:09

The cipher spec was last changed in tickets 1566 and 1438 by cfu. If I understand the tickets correctly, the PFS ciphers were disable because they were causing trouble with HSMs.

pki-bot commented 3 years ago

Comment from edewata (@edewata) at 2016-08-15 17:26:49

FYI, there's a proposal to improve the Tomcat JSS configuration in ticket 1352 to make it easier to maintain and to remove misleading warnings.

pki-bot commented 3 years ago

Comment from cfu (@cfu) at 2016-08-15 20:48:34

A few comments:

I have the info in ciphers.info indicating that they could be turned back on if not a concern with HSM:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

The following ciphers are supported in rhel7.2 or greater, and they

are off by default, and can be turned on by sites running rhel7.2 or

greater:

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,

TLS_DHE_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_RSA_WITH_AES_256_CBC_SHA,

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

So, yes, since we are now on for 7.3, we can safely turn them on

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2016-08-18 23:40:17

Per the PKI Bug Council of 08/18/2016:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2016-08-31 21:15:39

Per PKI Bug Council of 08/31/2016: 10.4 - major

pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2017-02-27 14:04:54

Metadata Update from @tiran: