Advice needed with SSL protocols and cipher suites

Support for security such as Firewalls and securing linux
qpidity
Posts: 7
Joined: 2015/12/02 19:35:51

Advice needed with SSL protocols and cipher suites

Post by qpidity » 2015/12/02 20:16:08

Hi,

I'm really hoping someone can help. We're running Centos 6.5(final)/Apache 2.2.15 and an ssl version check returns v1.01.1e fips. The basic issue is that we need to harden our security settings however we're failing to get an A rating at SSL labs, only achieving a B rating, primarily it seems due to less than ideal protocol support

We first attempted to update the SSLProtocol as follows in /etc/httpd/conf/httpd.conf:

Code: Select all

SSLProtocol -ALL +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
However, after doing so and restarting apache we received exactly the same result at SSL Labs - TLS1.0 is showing as enabled.

The same update was also made in ssl.conf and after restarting the service, again the same result -TLS1.0 is showing as enabled.

I don't quite understand why there's been no change to the scan results after making these changes. I wonder if it's because our version of mod_ssl does not support the new, more secure ciphers, although I read somewhere that updates to mod_ssl are likely to have been backported.

On a separate note, should we look at upgrading Centos to 6.7. Would that automatically bring with it the necessary updated packages? Or should we be running a yum update? I have to admit, server security not being my forte I'm struggling somewhat to get to grips with how best to proceed. There seems to be so many variable to consider.

I'd be really grateful for any assistance that can be offered.

Many thanks in advance.

User avatar
avij
Retired Moderator
Posts: 3039
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Advice needed with SSL protocols and cipher suites

Post by avij » 2015/12/02 20:43:30

You should indeed run yum update to update to CentOS 6.7 in any case.

qpidity
Posts: 7
Joined: 2015/12/02 19:35:51

Re: Advice needed with SSL protocols and cipher suites

Post by qpidity » 2015/12/02 21:25:55

Thanks for the reply. Will running the yum update resolve the issue I'm having with the SSL protocols and ciphers? Will that overwrite settings/ directives we currently have in place?

User avatar
avij
Retired Moderator
Posts: 3039
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Advice needed with SSL protocols and cipher suites

Post by avij » 2015/12/02 22:07:06

qpidity wrote:Thanks for the reply. Will running the yum update resolve the issue I'm having with the SSL protocols and ciphers? Will that overwrite settings/ directives we currently have in place?
The following changes have been made to httpd's mod_ssl since CentOS 6.5. Some of these may be related to your problem.
  • Fix SSL_CLIENT_VERIFY value when optional_no_ca and SSLSessionCache are used and SSL session is resumed (#1149703)
  • log revoked certificates at the INFO level (#1161328)
  • use -extensions v3_req for certificate generation (#906476)
  • fix SSLCipherSuite (#1035818)
  • Add a wildcard common name match (#1035666)
  • prevent use of AECDH (#1035818)
  • use 2048-bit RSA key with SHA-256 signature in dummy certificate (#1103115)
  • adjust DH temp key selection, prefer larger and up to 8192-bit. (#1071883)
  • add ECDH support (#1035818)
  • improve DH temp key handling (#1071883)
  • enable support at run-time for TLSv1.x with newer OpenSSL (#1034984)
  • fix crash when loaded for first time during the reload (#876626)
  • make lazy CRL caching configurable (#1037832)
In addition, the newest httpd has fixes for vulnerabilities CVE-2015-3183, CVE-2013-5704, CVE-2014-0231, CVE-2014-0118, CVE-2014-0226, CVE-2013-6438 and CVE-2014-0098. These alone should be a sufficient reason to update. I can't guarantee that updating will fix your problem, but it would be a good first step.

In general, running yum update should be safe and there should be no harmful effects, and configuration should stay intact.

qpidity
Posts: 7
Joined: 2015/12/02 19:35:51

Re: Advice needed with SSL protocols and cipher suites

Post by qpidity » 2015/12/04 11:22:56

Hi,

I've run the yum update and I can see that now we're running Centos 6.7. I've run the scan at SSLlabs but there's been no change. I'm not sure I understand why TLS1.0 is not being disabled. We have the following set in /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf/httpd.conf:

SSLProtocol -ALL +TLSv1.1 +TLSv1.2

Additionally we are still getting the weak ciphers warnings. Again I would have thought that by running yum update we'd be upgrading our version of mod_ssl and thereby filling the gaps in terms of the ciphers for which we previously didn't have support. I see we've gone from OpenSSL 1.0.1e fips to 1.0.1e 42.e16.

I attach the pertinent information here from the scan.

Grateful for any assistance.

Many thanks
Attachments
Output from SSL labs scan
Output from SSL labs scan
Screen shot 2015-12-04 at 11.56.33.png (131.94 KiB) Viewed 12901 times

User avatar
TrevorH
Forum Moderator
Posts: 29113
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Advice needed with SSL protocols and cipher suites

Post by TrevorH » 2015/12/04 11:53:18

Do you have other vhosts that use SSL? You need to make sure that all use the same settings.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

qpidity
Posts: 7
Joined: 2015/12/02 19:35:51

Re: Advice needed with SSL protocols and cipher suites

Post by qpidity » 2015/12/04 13:39:15

We're hosting just a single domain but I think you may be referring to mail services, plesk etc, right?

User avatar
TrevorH
Forum Moderator
Posts: 29113
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Advice needed with SSL protocols and cipher suites

Post by TrevorH » 2015/12/04 13:50:30

No, I'm referring to other apache httpd virtual hosts.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

qpidity
Posts: 7
Joined: 2015/12/02 19:35:51

Re: Advice needed with SSL protocols and cipher suites

Post by qpidity » 2015/12/04 13:58:26

Forgive my ignorance, as mentioned this isn't my forte.

Is this what you're referring to:

Code: Select all

/usr/sbin/httpd -S
VirtualHost configuration:
XX.XX.XXX.XXX:7080     is a NameVirtualHost
         default server mydomain.com (/var/www/vhosts/mydomain.com/conf/14485391080.35778000_httpd_ip_default.include:133)
         port 7080 namevhost mydomain.com (/var/www/vhosts/mydomain.com/conf/14485391080.35778000_httpd_ip_default.include:133)
                 alias www.mydomain.com
                 alias ipv4.mydomain.com
         port 7080 namevhost default (/usr/local/psa/admin/conf/generated/14254662840.02263600_server.include:89)
         port 7080 namevhost lists (/usr/local/psa/admin/conf/generated/14254662840.02263600_server.include:163)
                 wild alias lists.*
         port 7080 namevhost horde.webmail (/usr/local/psa/admin/conf/generated/14254662840.02263600_horde.include:9)
                 alias webmail.mydomain.com
                 wild alias horde.webmail.*
XX.XX.XXX.XXX:7081     is a NameVirtualHost
         default server mydomain.com (/var/www/vhosts/mydomain.com/conf/14485391080.35778000_httpd_ip_default.include:11)
         port 7081 namevhost mydomain.com (/var/www/vhosts/mydomain.com/conf/14485391080.35778000_httpd_ip_default.include:11)
                 alias www.mydomain.com
                 alias ipv4.mydomain.com
         port 7081 namevhost default-XX_XX_XXX_XXX (/usr/local/psa/admin/conf/generated/14254662840.02263600_server.include:123)
         port 7081 namevhost lists (/usr/local/psa/admin/conf/generated/14254662840.02263600_server.include:189)
                 wild alias lists.*
         port 7081 namevhost horde.webmail (/usr/local/psa/admin/conf/generated/14254662840.02263600_horde.include:53)
                 alias webmail.mydomain.com
                 wild alias horde.webmail.*
127.0.0.1:7080         is a NameVirtualHost
         default server mydomain.com (/var/www/vhosts/mydomain.com/conf/14485391080.35778000_httpd_ip_default.include:133)
         port 7080 namevhost mydomain.com (/var/www/vhosts/mydomain.com/conf/14485391080.35778000_httpd_ip_default.include:133)
                 alias www.mydomain.com
                 alias ipv4.mydomain.com
         port 7080 namevhost default (/usr/local/psa/admin/conf/generated/14254662840.02263600_server.include:89)
         port 7080 namevhost lists (/usr/local/psa/admin/conf/generated/14254662840.02263600_server.include:163)
                 wild alias lists.*
         port 7080 namevhost horde.webmail (/usr/local/psa/admin/conf/generated/14254662840.02263600_horde.include:9)
                 alias webmail.mydomain.com
                 wild alias horde.webmail.*
127.0.0.1:7081         is a NameVirtualHost
         default server mydomain.com (/var/www/vhosts/mydomain.com/conf/14485391080.35778000_httpd_ip_default.include:11)
         port 7081 namevhost mydomain.com (/var/www/vhosts/mydomain.com/conf/14485391080.35778000_httpd_ip_default.include:11)
                 alias www.mydomain.com
                 alias ipv4.mydomain.com
         port 7081 namevhost default-XX_XX_XXX_XXX (/usr/local/psa/admin/conf/generated/14254662840.02263600_server.include:123)
         port 7081 namevhost lists (/usr/local/psa/admin/conf/generated/14254662840.02263600_server.include:189)
                 wild alias lists.*
         port 7081 namevhost horde.webmail (/usr/local/psa/admin/conf/generated/14254662840.02263600_horde.include:53)
                 alias webmail.mydomain.com
                 wild alias horde.webmail.*

User avatar
TrevorH
Forum Moderator
Posts: 29113
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Advice needed with SSL protocols and cipher suites

Post by TrevorH » 2015/12/04 14:06:22

Yes. You have multiple namevhosts listed and the SSL config from one will bleed through into the others. You need to track down the config files for all of them and make the same changes to them all if SSL is enabled. However, I also see that you are using Plesk so you may want to check with them about it too since Plesk, in common with many control panels, installs their own web stack, possibly compiled from source. That means that you're probably not running the CentOS supplied packages and you need to get support from them.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 6 - Security Support”