From: Jacob Champion Date: Mon, 22 Aug 2016 21:27:18 +0000 (+0000) Subject: docs: update the "SSL Strong Encryption" how-to X-Git-Tag: 2.5.0-alpha~1217 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1558a128885e5942ad5bed4ef4c0470d6aab7a1b;p=thirdparty%2Fapache%2Fhttpd.git docs: update the "SSL Strong Encryption" how-to The how-to was a little behind the times. Update to modern ciphersuite selections, and teach the reader more about *why* certain selections and settings are chosen. Try to future-proof a little bit by including the "last-reviewed" date and pointing to Mozilla's recommendation tool. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757280 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 86155543ba6..1f73a262e8f 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -52,35 +52,92 @@ Listen 443
-Cipher Suites and Enforcing Strong Security +Cipher Suites and Enforcing Strong Encryption + + +

"Strong encryption" is, and has always been, a moving target. Furthermore, +the definition of "strong" depends on your desired use cases, your threat +models, and your acceptable levels of risk. The Apache HTTP Server team cannot +determine these things for you.

+

For the purposes of this document, which was last updated in mid-2016, +"strong encryption" refers to a TLS implementation which provides all of the +following, in addition to the basic confidentiality, integrity, and authenticity +protection that most users already expect:

+
    +
  • Perfect Forward Secrecy, which ensures that a compromise to a server's +private key in the present does not compromise the confidentiality of past TLS +communication.
    • +
  • Protection from known attacks on older SSL and TLS implementations, such +as POODLE and +BEAST.
    • +
  • Support for the strongest ciphers available to modern (and up-to-date) web +browsers and other HTTP clients.
    • +
  • Rejection of clients that cannot meet these requirements. +In other words, "strong encryption" requires that out-of-date clients be +completely unable to connect to the server, to prevent them from endangering +their users. Whether or not this is appropriate for your situation is a decision +that only you can make.
    • +
+

Please note that strong encryption does not, by itself, ensure +strong security. (As an example, HTTP compression oracle attacks such +as BREACH +may require further steps to mitigate.)

+ +
How can I create an SSL server which accepts strong encryption only? -

The following enables only the strongest ciphers:

- - SSLCipherSuite HIGH:!aNULL:!MD5 - - -

While with the following configuration you specify a preference - for specific speed-optimized ciphers (which will be selected by - mod_ssl, provided that they are supported by the client):

+

The following configuration enables "strong encryption", as defined + above, and is derived from the Mozilla Foundation's + Server Side + TLS requirements:

-SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 +# "Modern" configuration, defined by the Mozilla Foundation's SSL Configuration +# Generator as of August 2016. This tool is available at +# https://mozilla.github.io/server-side-tls/ssl-config-generator/ +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +# Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some +# require OpenSSL 1.1.0, which as of this writing was in pre-release. +SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on +SSLCompression off +SSLSessionTickets off + +
    +
  • SSL 3.0 and TLS 1.0 are susceptible to known attacks on the protocol; + they are disabled entirely.
    • +
  • Disabling TLS 1.1 is (as of August 2016) mostly optional; TLS 1.2 + provides stronger encryption options, but 1.1 is not yet known to be broken. + Disabling 1.1 may mitigate attacks against some broken TLS + implementations.
    • +
  • Enabling SSLHonorCipherOrder + ensures that the server's cipher preferences are followed instead of the + client's.
    • +
  • Disabling SSLCompression + prevents TLS compression oracle attacks (e.g. + CRIME).
    • +
  • Disabling SSLSessionTickets + ensures Perfect Forward Secrecy is not compromised if the server is not + restarted regularly.
    • +
+ +

The exact ciphersuites supported in the + SSLCipherSuite line are determined + by your OpenSSL installation, not the server. You may need to upgrade to a + modern version of OpenSSL in order to use them.

-How can I create an SSL server which accepts all types of ciphers -in general, but requires a strong ciphers for access to a particular -URL? +How can I create an SSL server which accepts many types of ciphers +in general, but requires a strong cipher for access to a particular URL?

Obviously, a server-wide SSLCipherSuite which restricts ciphers to the strong variants, isn't the answer here. However, @@ -89,13 +146,13 @@ URL? a renegotiation of the SSL parameters to meet the new configuration. This can be done as follows:

-# be liberal in general -SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL +# be liberal in general -- use Mozilla's "Intermediate" ciphersuites (weaker +# ciphersuites may also be used, but will not be documented here) +SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS <Location "/strong/area"> -# but https://hostname/strong/area/ and below -# requires strong ciphers -SSLCipherSuite HIGH:!aNULL:!MD5 +# but https://hostname/strong/area/ and below requires strong ciphersuites +SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 </Location>