On 03/31/2017 07:52 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All, On 3/30/17 4:32 PM, Christopher Schultz wrote:All, I'm running httpd 2.2.31 on Amazon Linux, and the docs for SSLCertificateFile say: " Beginning with version 2.2.30, mod_ssl makes use of standardized DH parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192 bits (from RFC 3526), and hands them out to clients based on the length of the certificate's RSA/DSA key. " I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL Labs' SSL testing tool. That suggests that the DH parameter strength is less than what I was expecting: 4096-bit (or equivalent). How does httpd determine which DH primes to use based upon the RSA key? The server's key is 4096-bit, but the issuer's key (in the chain) is 2048-bit. Is that the reason SSL Test is not giving me full marks? I'm trying to create a 4096-bit parameters file (to attach to the RSA key chain), but it's taking a while so I figured I'd ask in the meantime .I added my 4096-bit DH parameters to the end of my cert file, like this: - -----BEGIN CERTIFICATE----- [my RSA certificate] - -----END CERTIFICATE----- - -----BEGIN DH PARAMETERS----- [my DH parameters data] - -----END DH PARAMETERS----- and restarted httpd. When running SSL Labs' test, it tells me the following: cipher / key-exch / strength / forward-security TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits FS So it looks like the DH parameters are okay, but the EC RSA-bit-equiv is only 3072. Does this mean that I'd need to create an ecparam file to raise that RSA-bit-equiv even higher?
Do not worry about getting 100% on all four of the SSL Labs tests. 2048-bit DHE primes are not going to cracked anytime soon.If you want to get 100% in all four of their testing areas it can be done but it requires an ECDSA cert with a very limited number of TLS 1.2 ciphers that only support 256-bit ECDHE.
https://www.ssllabs.com/ssltest/analyze.html?d=leprecoin.org (one of my servers)
But in practice 2048-bit RSA cert is secure.Rather than attempting to get 100% in all four of their metrics, strive to get a A+ rating with only a handful (less than 10) ciphers that all support forward secrecy.
When all of your ciphers support forward secrecy, then the server private/public key is only used for hostname authentication, not encryption. 2048-bit RSA most certainly is good enough for that, especially if you generate a new private key once a year.
With respect to forward secrecy, make sure your ECDHE ciphers are listed first so that clients that support them will use them, and clients that don't support ECDHE will still be able to use the DHE ciphers.
I tend to use the following on servers with RSA certs: SSLHonorCipherOrder onSSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256 EECDH+AES EDH+AES256"
It doesn't get me 100% on all four of the checks but I still get an A+ rating and know the server is secure, with a 2048-bit RSA cert and 2048 DH parameters.
Using RSA > 2048-bit and DH params > 2048-bit results in more work for the server and the client without any real world benefit.
Yes technically harder to break, but if I can only jump 10 feet then a 50 foot moat is just as effective as a 100 foot moat.
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|