Re: How to suppress weak ciphers

2020-04-23 Thread Jerome Magnin 
On Thu, Apr 23, 2020 at 03:59:59AM +, Branitsky, Norman wrote:
> Jerome,
> 
> Thanks for the clarification.
> 
> This string:
> 
> CHACHA20:AESGCM:AESCCM:!RSA
> resulted in an F grade from SSL Labs due to the inclusion of TLS_DH_anon 
> ciphers:
> 
> [cid:image001.jpg@01D61902.1FDF86A0]
> 
> After adding the following to the end of the string, scored an A+:
> 
> :!aNULL
>

Interesting, I didn't have to append !aNULL, I guess this depends on operating
systems and openssl defaults. Congrats on the A+ :-)

Jérôme

RE: How to suppress weak ciphers

2020-04-22 Thread Branitsky, Norman 
Jerome,



Thanks for the clarification.

This string:

CHACHA20:AESGCM:AESCCM:!RSA
resulted in an F grade from SSL Labs due to the inclusion of TLS_DH_anon 
ciphers:

[cid:image001.jpg@01D61902.1FDF86A0]

After adding the following to the end of the string, scored an A+:

:!aNULL



Norman Branitsky

Senior Cloud Architect

P: 416-916-1752





-Original Message-
From: Jerome Magnin 
Sent: Wednesday, April 22, 2020 3:20 PM
To: Branitsky, Norman 
Cc: haproxy@formilux.org
Subject: Re: How to suppress weak ciphers



On Wed, Apr 22, 2020 at 06:20:14PM +, Branitsky, Norman wrote:

> As you can see from my pasted configuration, I was specifying exactly 4 
> ciphers.

> The 2 weak CBC ciphers were magically appearing in the SSL Labs report.

> I tried to explicitly delete them - but the delete request is ignored.

>

> It seems that this entry, for example, must actually be a family:

> ECDHE-RSA-AES256-SHA384

> which includes

> ECDHE-RSA-AES256-CBC-SHA384

> Not clear why the explicit delete command doesn't delete the CBC cipher.

>



the configuration you shared excludes ciphers that are not actually ciphers. 
I'm guessing this is why you still see what you try to disable when you test 
with ssllabs.



there is no ECDHE-RSA-AES256-CBC-SHA384 in man ciphers(1), and no 
ECDHE-RSA-AES128-CBC-SHA384.



On the other hand ECDHE-RSA-AES256-SHA384 is the openssl equivalent to

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 so you probably got things mixed up.





> Do you use the following specification and do you find sufficient support of 
> existing browsers?

> ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA

> Or is this too aggressive?

>

It does not support safari from 6 to 8 on IOS and OSX, and IE11 on windows 
phone 8.1.

I can share ssllabs report privately if you want.



Jérôme

Re: How to suppress weak ciphers

2020-04-22 Thread Jerome Magnin 
On Wed, Apr 22, 2020 at 06:20:14PM +, Branitsky, Norman wrote:
> As you can see from my pasted configuration, I was specifying exactly 4 
> ciphers.
> The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
> I tried to explicitly delete them - but the delete request is ignored.
> 
> It seems that this entry, for example, must actually be a family:
> ECDHE-RSA-AES256-SHA384
> which includes
> ECDHE-RSA-AES256-CBC-SHA384
> Not clear why the explicit delete command doesn't delete the CBC cipher.
> 

the configuration you shared excludes ciphers that are not actually ciphers. I'm
guessing this is why you still see what you try to disable when you test with
ssllabs.

there is no ECDHE-RSA-AES256-CBC-SHA384 in man ciphers(1), and no
ECDHE-RSA-AES128-CBC-SHA384.

On the other hand ECDHE-RSA-AES256-SHA384 is the openssl equivalent to 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 so you probably got things mixed up.


> Do you use the following specification and do you find sufficient support of 
> existing browsers?
> ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA
> Or is this too aggressive?
>
It does not support safari from 6 to 8 on IOS and OSX, and IE11 on windows 
phone 8.1.
I can share ssllabs report privately if you want.

Jérôme

RE: How to suppress weak ciphers

2020-04-22 Thread Zakharychev, Bob 
FWIW, here's what we use in production with HAProxy 2.1.4 statically linked 
with OpenSSL 1.1.1f, gives us an A rating with 90 score for cipher strength 
from SSLLabs test:

# recommended modern ciphersuites. Qualys SSLLab reports some of them
# as weak due to use of inferior CBC mode, but disabling them breaks
# compatibility with quite a few browsers still in the wild.
ssl-default-bind-ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# TLSv1.3 ciphersuites: for now, the same as OpenSSL default
ssl-default-bind-ciphersuites 
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
# Disable TLSv1.1 and down and TLS tickets
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

Here's what they report for TLS 1.2:

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)  ECDH x25519 
(eq. 3072 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)ECDH x25519 (eq. 3072 
bits RSA)   FS256(P)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH x25519 
(eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH x25519 
(eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH x25519 
(eq. 3072 bits RSA)   FS   WEAK 128
(P) This server prefers ChaCha20 suites with clients that don't have AES-NI 
(e.g., Android devices) 

Disabling the two weak ciphers knocks off too many browsers still in wide use, 
so we ruled against it.

Bob

-Original Message-
From: Branitsky, Norman  
Sent: Wednesday, April 22, 2020 2:20 PM
To: Jerome Magnin 
Cc: haproxy@formilux.org
Subject: RE: How to suppress weak ciphers

[Warning] This email comes from an external source. Be careful of any embedded 
links and attachments.

As you can see from my pasted configuration, I was specifying exactly 4 ciphers.
The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
I tried to explicitly delete them - but the delete request is ignored.

It seems that this entry, for example, must actually be a family:
ECDHE-RSA-AES256-SHA384
which includes
ECDHE-RSA-AES256-CBC-SHA384
Not clear why the explicit delete command doesn't delete the CBC cipher.

Do you use the following specification and do you find sufficient support of 
existing browsers?
ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA Or is this too aggressive?

Norman Branitsky
Senior Cloud Architect
P: 416-916-1752


-Original Message-
From: Jerome Magnin 
Sent: Wednesday, April 22, 2020 11:50 AM
To: Branitsky, Norman 
Cc: haproxy@formilux.org
Subject: Re: How to suppress weak ciphers

Hi Norman,
On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote:
> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 SSL Labs reports the CBC 
> ciphers are "weak":
>
> [cid:image002.jpg@01D6117D.1C8AC910]
>
> I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to 
> no avail:
>
>
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 
> no-tls-tickets
>
> ssl-default-bind-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
>
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 
> no-tls-tickets
>
> ssl-default-server-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
>
> How do I delete the "weak" ciphers?
>


If you list all the ciphers you want to support, it does not make sense to 
negate those you don't want. just don't list them.
You would use ! to exclude specific ciphers or ciphers "families", ie:

 ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA

you can find additional information on this in the manpage for ciphers(1).

regards,
Jérôme

RE: How to suppress weak ciphers

2020-04-22 Thread Branitsky, Norman 
As you can see from my pasted configuration, I was specifying exactly 4 ciphers.
The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
I tried to explicitly delete them - but the delete request is ignored.

It seems that this entry, for example, must actually be a family:
ECDHE-RSA-AES256-SHA384
which includes
ECDHE-RSA-AES256-CBC-SHA384
Not clear why the explicit delete command doesn't delete the CBC cipher.

Do you use the following specification and do you find sufficient support of 
existing browsers?
ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA
Or is this too aggressive?

Norman Branitsky
Senior Cloud Architect
P: 416-916-1752


-Original Message-
From: Jerome Magnin  
Sent: Wednesday, April 22, 2020 11:50 AM
To: Branitsky, Norman 
Cc: haproxy@formilux.org
Subject: Re: How to suppress weak ciphers

Hi Norman,
On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote:
> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 SSL Labs reports the CBC 
> ciphers are "weak":
> 
> [cid:image002.jpg@01D6117D.1C8AC910]
> 
> I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to 
> no avail:
> 
> 
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 
> no-tls-tickets
> 
> ssl-default-bind-ciphers 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
> 
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 
> no-tls-tickets
> 
> ssl-default-server-ciphers 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
> 
> How do I delete the "weak" ciphers?
> 


If you list all the ciphers you want to support, it does not make sense to 
negate those you don't want. just don't list them. 
You would use ! to exclude specific ciphers or ciphers "families", ie:

 ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA

you can find additional information on this in the manpage for ciphers(1).

regards,
Jérôme

Re: How to suppress weak ciphers

2020-04-22 Thread Илья Шипицин 
you can start with https://ssl-config.mozilla.org/
however, high security also means lower compatibility, i.e. old browsers
fail on high security (ssl labs provide handshake table for that)

ср, 22 апр. 2020 г. в 20:32, Branitsky, Norman <
norman.branit...@tylertech.com>:

> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
> SSL Labs reports the CBC ciphers are “weak”:
>
>
>
> [image: cid:image002.jpg@01D6117D.1C8AC910]
>
>
>
> I’ve tried to explicitly negate these ciphers with an “!” in haproxy.cfg
> to no avail:
>
>
>
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
>
> ssl-default-bind-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384
>
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
>
> ssl-default-server-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384
>
>
>
> How do I delete the “weak” ciphers?
>
>
> *Norman Branitsky*
> Senior Cloud Architect
> Tyler Technologies, Inc.
>
> P: 416-916-1752
> C: 416.843.0670
> www.tylertech.com
>
>
>
> [image: Tyler Technologies] 
>

Re: How to suppress weak ciphers

2020-04-22 Thread Jerome Magnin 
Hi Norman,
On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote:
> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
> SSL Labs reports the CBC ciphers are "weak":
> 
> [cid:image002.jpg@01D6117D.1C8AC910]
> 
> I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to 
> no avail:
> 
> 
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
> 
> ssl-default-bind-ciphers 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384
> 
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
> 
> ssl-default-server-ciphers 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384
> 
> How do I delete the "weak" ciphers?
> 


If you list all the ciphers you want to support, it does not make sense to
negate those you don't want. just don't list them. 
You would use ! to exclude specific ciphers or ciphers "families", ie:

 ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA

you can find additional information on this in the manpage for ciphers(1).

regards,
Jérôme

How to suppress weak ciphers

2020-04-22 Thread Branitsky, Norman 
HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
SSL Labs reports the CBC ciphers are "weak":

[cid:image002.jpg@01D6117D.1C8AC910]

I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to no 
avail:


ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

ssl-default-bind-ciphers 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384

ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

ssl-default-server-ciphers 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384

How do I delete the "weak" ciphers?

Norman Branitsky
Senior Cloud Architect
Tyler Technologies, Inc.

P: 416-916-1752
C: 416.843.0670
www.tylertech.com

[Tyler Technologies]