suggestion for webserver administrators. [LWN.net]

suggestion for webserver administrators.

Posted Jul 25, 2013 12:48 UTC (Thu) by Richard_J_Neill (subscriber, #23093)
Parent article: Feds put heat on Web firms for master encryption keys (CNET)

If you administrate a Webserver, this may be helpful:

1. Make sure you are running Apache 2.4.
Apache 2.2 does NOT have support for any form of forward-secrecy at the moment (it used to, but then we had the BEAST attack, and to mitigate that, everyone switched to RC4 ciphers). Only the elliptic-curve ciphers (ECDHE) are immune to BEAST AND have forward secrecy, and these are only supported in Apache 2.3 and above.

2. If you're running Ubuntu, that means you have to upgrade your production server to the latest alpha, Saucy/13.10.

3. Enable the ECDHE keys. In ssl.conf, set:

SSLHonorCipherOrder on

SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

(This set is still not perfect, but it seems to be the best compromise we can have; it is proof against BEAST, supports RC4 for old browsers, and has perfect forward secrecy for all modern clients other than IE 10.)

4. Test it: https://www.ssllabs.com/ssltest/analyze.html

I hope that's helpful.

suggestion for webserver administrators.

Posted Jul 25, 2013 16:31 UTC (Thu) by jeff_marshall (subscriber, #49255) [Link] (2 responses)

Regarding your point 1, why are you comparing RC4 to ECDHE? They serve two entirely different purposes: RC4 is a stream cipher used for protecting data once a secret key has been established, and ECDHE is a key agreement algorithm used during key establishment.

Does TLS not support a regular DHE (non-EC) paired with a safe block cipher + mode?

suggestion for webserver administrators.

Posted Jul 25, 2013 16:43 UTC (Thu) by Richard_J_Neill (subscriber, #23093) [Link] (1 responses)

I may have caused some confusion here. My understanding is that:

On Apache 2.2, we had a choice between two evils, either ciphers which have forward secrecy (but which are vulnerable to BEAST), or which are immune to BEAST but sacrifice forward-secrecy. The latter is the Apache-2.2 configuration (at least on Ubuntu).

This one is secure, but requires Apache 2.4
ECDHE-RSA-AES128-SHA256

To answer your question, I think the answer is "no" - at least, experimentally, and using the ssllabs test-suite.

suggestion for webserver administrators.

Posted Jul 25, 2013 18:38 UTC (Thu) by jeff_marshall (subscriber, #49255) [Link]

Thanks for the clarification. I think my confusion stemmed from your use of "cipher" vs. "cipher suite"( i.e., ECHDE is a cipher, ECDHE-RSA-AES128-SHA256 is a cipher suite).

Ultimately, the problem appears to stem from the choices of which ciphers are grouped into suites in the SSL/TLS standards- many of the suites either pick a key agreement scheme without forward secrecy or a block cipher + mode vulnerable to BEAST.

suggestion for webserver administrators.

Posted Jul 25, 2013 18:06 UTC (Thu) by jimparis (guest, #38647) [Link]

Word of warning: in Debian, Apache 2.4 is still pretty new, some modules like libapache2-svn haven't been ported, and the configuration layout has changed in some key ways. I messed up my server pretty badly by diving in. Fortunately, /var/log/apt/history.log told me how to get my old packages back, and etckeeper let me easily revert /etc. I'll try again in a few months when 2.4 support is a little better, and be more careful next time!