I've been trying to figure out why Apache is presenting the wrong cert to browsers (which people then click through...) which has led me to looking at Apache's cipher suite setup as I know we need to turn off SSLv2 everywhere. It is an exercise in self-flagellation to understand SSL's approach to consumer choice and Apache does not let the side down here.
SSLCipherSuite ALL:!ADH:!EXPORT56:-SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
As I read the string above that I inherited from gawd-knows-where, they allow for no encryption as the last acceptable suite. Huh? Yep, the cipher negotiation +eNULL allows you to authenticate yourself and then negotiate a null cipher! In other words, it is ok to broadcast your password to the world as long as we have ensured it eventually ends up at the right place. Comforting to know. On the other hand !ADH says you cannot set up an opportunistic encryption without certificates at all, so it's definately evil to use encryption unless you know who you are talking to.
So, here's how to turn off SSLv2 (something that should be done by default so we can increase the use of SSL) and set up useful encryption:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!SSLv2:!EXPORT:!NULL:!LOW:+ADH
Makes sense, ok? If you dare to suggest that you don't understand, go and stand in corner until you've learnt the correct attitude.
Jokes about inadequacy aside, I've turned off all the small key ciphers and permitted a fall back to anonymous Diffie-Hellman. Not because anyone is going to use it (as it has to be negotiated by the other side, just like the null ciphers I turned off) but because it might be nice to experiment with.
Of course, what this exercise means in the large is obvious: all sorts of rubbish is being set in the cipher suites as people copy and paste other people's mistakes around. Sysadmins don't have time to deal in this nonsense, all they want is to get some basic protection for their users as they already have enough to do just getting SSL to boot let alone tuning this cipher or that one.
What the software should do is bootstrap the crypto to the best of opportunistic ability. This time and every time. I am more firmly convinced than ever that a good crypto protocol has one and only one cipher suite, it is good and complete, and it is numbered #1. In two years, we might or might not come out with #2. In the meantime, that's what you get for free - and it's a darn site more secure than giving you a choice of hundreds of mistakes to make and charging you for the privilege.
Meanwhile, I still don't know why Apache is presenting the wrong cert ... so more on that later.
Posted by iang at May 8, 2005 11:15 AM | TrackBack> ... In other words, it is ok to broadcast your
> password to the world as long as we have ensured it eventually ends up
> at the right place. Comforting to know.
What a mess.
> On the other hand !ADH says
> you cannot set up an opportunistic encryption without certificates at
> all, so it's definately evil to use encryption unless you know who you
> are talking to.
What a mess.
I've since discovered that Apache is delivered with ADH compiled out, so better to stick in !ADH. Also, there is this handy dandy command to tell us what ciphers are provided by the magic incantation:
ciphers -v 'ALL:!SSLv2:!EXPORT:!NULL:!LOW:!ADH:!MD5'
Posted by: Iang at May 10, 2005 08:39 PMInteresting post.
The main information page is of course: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9
And the (default?) 0.9.7f OpenSSL has this combinations available:
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-64-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5
EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export
EXP1024-DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export
EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export
EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
EXP1024-RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Cheers.
Alejo
Posted by: Alejo at July 28, 2005 10:18 AM