Looks good to me, thanks! I committed r1679470 in trunk and proposed a backport to 2.4.x (will propose a v2 for my 2.2.x patch which is also concerned), since SSL_DEFAULT_CIPHER_LIST (default when no SSL[Proxy]CipherSuite is configured) does not include "!aNULL:!eNULL" for older OpenSSL versions (though still supported).
On Thu, May 14, 2015 at 10:20 PM, William A Rowe Jr <[email protected]> wrote: > Proposed for backport on both 2.2 and 2.4 branches. > > > On Thu, May 14, 2015 at 1:44 PM, <[email protected]> wrote: >> >> Author: wrowe >> Date: Thu May 14 18:44:52 2015 >> New Revision: 1679428 >> >> URL: http://svn.apache.org/r1679428 >> Log: >> Conform to RFC 7525, with additional suggestion to drop RSA Kx ciphers >> >> Modified: >> httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in >> >> Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1679428&r1=1679427&r2=1679428&view=diff >> >> ============================================================================== >> --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original) >> +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Thu May 14 >> 18:44:52 2015 >> @@ -43,22 +43,39 @@ Listen @@SSLPort@@ >> ## >> >> # SSL Cipher Suite: >> -# List the ciphers that the client is permitted to negotiate. >> -# See the mod_ssl documentation for a complete list. >> -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 >> +# List the ciphers that the client is permitted to negotiate, >> +# and that httpd will negotiate as the client of a proxied server. >> +# See the OpenSSL documentation for a complete list of ciphers, and >> +# ensure these follow appropriate best practices for this deployment. >> +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 >> +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 > > > Here we simply drop RC4 as mentioned in RFC7525 (a MUST NOT), and extend the > default list out to the proxy client behavior. > > The defaults for httpd-2.2 rely on ylavic's proposed 'mod_ssl: Improve > handling of ephemeral DH and ECDH keys'... backport which addresses eNULL, > aNULL and EXP in an unambiguous way. > >> -# Speed-optimized SSL Cipher configuration: >> -# If speed is your main concern (on busy HTTPS servers e.g.), >> -# you might want to force clients to specific, performance >> -# optimized ciphers. In this case, prepend those ciphers >> -# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. >> -# Caveat: by giving precedence to RC4-SHA and AES128-SHA >> -# (as in the example below), most connections will no longer >> -# have perfect forward secrecy - if the server's key is >> -# compromised, captures of past or future traffic must be >> -# considered compromised, too. >> -#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 >> -#SSLHonorCipherOrder on > > > This is, as we discussed, simply eliminating the speed-optimized > suggestions, let the user look elsewhere for [frequently updated] guidance. > >> >> +# By the end of 2016, only TLSv1.2 ciphers should remain in use. >> +# Older ciphers should be disallowed as soon as possible, while the >> +# kRSA ciphers do not offer forward secrecy. These changes inhibit >> +# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy >> +# non-browser tooling) from successfully connecting. >> +# >> +# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable >> +# those protocols which do not support forward secrecy, replace >> +# the SSLCipherSuite and SSLProxyCipherSuite directives above with >> +# the following two directives, as soon as practical. >> +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA >> +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA > > > I used the !SSLv3 logic rather than explicitly calling out TLSv1.2 so we > enjoy a better transition to TLSv1.3+. > > Since the proposal to suggest !kRSA is new, it deserves a brief word of > explanation. RSA cipher negotiation remains valid. But signed RSA > certificates must be exchanged using the ECDHE or ECDH in order to provide > forward secrecy. This was proposed by Mark Thomas after evaluating how the > Qualys SSL test behaved, resulting in upgrading from an A- to an A (where he > enabled only HIGH grade ciphers and omitted MEDIUM). It is interesting that > this wasn't part of their Dec '14 v1.4 guidance whitepaper, but I'm sure it > will be clarified in future revisions. Only IE8 on XP is called out as > requiring Kx=RSA with TLSv1.2 by default. > > in httpd-2.2, we may also wish to explicitly disable SSLv2 - notably for > 3DES ciphers, but at the moment this is accomplished with !EXP:!kRSA (and by > not including LOW grade ciphers). Just thinking that if the user enables > kRSA they also may inadvertently re-allow 3DES which has only 112 effective > bits of key strength, not the 168 claimed. > >> +# User agents such as web browsers are not configured for the user's >> +# own preference of either security or performance, therefore this >> +# must be the prerogative of the web server administrator who manages >> +# cpu load versus confidentiality, so enforce the server's cipher >> order. >> +SSLHonorCipherOrder on > > > This also relies on guidance from RFC7525 > >> >> +# SSL Protocol support: >> +# List the protocol versions which clients are allowed to connect with. >> +# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be >> +# disabled as quickly as practical. By the end of 2016, only the >> TLSv1.2 >> +# protocol or later should remain in use. >> +SSLProtocol all -SSLv3 >> +SSLProxyProtocol all -SSLv3 > > > The httpd 2.2 proposal already committed drops SSLv2 as well. > > I am all on board to now start ripping SSLv3 protocol and default to only > TLSv1.2 ciphers, on trunk, once this config backport has been reviewed and > committed. > >
