My company’s client is going to do penetration test on our product, I was assigned to configure Apache server, mainly enhance SSL Cipher settings.
Below are some notes on SSL configurations for Apache httpd.

Basics

Learn SSL Basics at http://www.wisegeek.com/what-is-an-ssl-cipher.htm

Basically we need to configure which SSL Protocols and Ciphers are allowed.

For SSLProtocol, SSLv2 and SSLv3 have been proven vulnerable, so go with TLSv1, TLSv1.1, TLSv1.2 whenever possible.

The main challenge is to setup SSL Ciphers, as there is a large amount of them and some of them have been proven vulnerable, so you need to disable them, but not all ciphers.
There is no best settings as it depends on what environment/browser you want to support, some older environment may only have vulnerable ciphers available.

Test Tools, Websites

COMODO SSL Analyzer

This tool will list available SSL protocols and ciphers, it also gives hint on any vulnerable protocol or weak cipher. Disable all the ciphers or protocols that marked
as weak/vulnerable.

QUALYS SSL LABS - SSL Server Test

This one gives more detailed result compare to the COMODO SSL Analyzer. It also gives a scaled score (scale from A to F I guess).
If your score is below A, it gives suggestions on how to improve.
This tool also do connection tests on major browsers so that you can check if all supported platform can establish connection to your website.
If you can get A without losing any targeted browser support, then you should be good.

QUALYS FREESCAN

(Register required)
This one will generate a much more detailed test report.
BUT be aware that you have limit number of scans for each account.
I registered an account and found out that it only support 10 reports by default, I do get an email instructing how to get more scan.

OpenSSL s_client

openssl s_client -cipher [cipher-names] -connect [host:port] (protocol flags)

Available Protocol flags:

1
2
3
4
5
6
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1

For cipher names, go to https://www.openssl.org/docs/apps/ciphers.html for reference (Use short names)

Bluestack screenshot

We used this tool to check if all supported browser can establish connection to our website.

Config example

The setting should be placed under corresponding VirtualHost tag httpd.conf or ssl.conf, or some other customized .conf file.

1
2
3
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite All:!aNULL:!eNULL:!LOW:!RC4:!MD5"

SSLProtocol should be self-explanatory.
For SSLCipherSuite, check syntax at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite,
check available suites at https://www.openssl.org/docs/apps/ciphers.html.

We can also do a whitelist approach like:

1
SSLCipherSuite HIGH:MEDEUM:!LOW

Here is a guideline you can follow:
SSL/TLS Strong Encryption: How-To

Common issues

Config does not get reflected even after httpd restart

This means that there are other VirtualHost tag or other config file overrided your configuration, you need to find it out.

Forward secrecy not enabled

Add this line to apache config:

SSLHonorCipherOrder on

Anonymous cipher suites are not disabled

Add !aNULL to SSLCipherSuite

Other Reference

The Basics of How to Work with Cipher Settings - Dr John’s Tech Talk
SSL and Penetration Test

Comments

2015-07-19