Re: SSL Cipher configuration issue

Jim Albert <jim@xxxxxxxxxxxxx> · Thu, 26 Aug 2021 10:35:20 -0400

On 8/26/2021 6:16 AM, Paul Claridge wrote:

Hi Team,

I am trying to configure recommendations from a pentest with regard to
excluding weak ciphers.

My ssl labs report shows the following:

Protocols
TLS 1.3     Yes
TLS 1.2     Yes
TLS 1.1     No
TLS 1.0     No
SSL 3     No
SSL 2     No

Cipher Suites
# TLS 1.3 (suites in server-preferred order)
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS
    256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)
  FS     256
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS
    128
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq.
3072 bits RSA)   FS     256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072
bits RSA)   FS     128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072
bits RSA)   FS     256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072
bits RSA)   FS   WEAK     128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072
bits RSA)   FS   WEAK     256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH x25519 (eq. 3072 bits
RSA)   FS   WEAK     128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH x25519 (eq. 3072 bits
RSA)   FS   WEAK     256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS WEAK
    128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS WEAK     128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS WEAK
    256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS WEAK     256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK     128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK     256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK     128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK     256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK     128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK     256

My current ssl.conf is as follows:

<IfModule mod_ssl.c>

    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the SSL library.
    # The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough entropy
    # is available. This means you then cannot use the /dev/random device
    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which doesn't

    # block. So, if available, use this one instead. Read the mod_ssl 

User

    # Manual for more details.
    #
    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##

    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase

    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism
    #   to use and second the expiring timeout (in seconds).

    #   (The mechanism dbm has known memory leaks and should not be 

used).

    #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
    SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300
    SSLSessionTickets  off

    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization.
    #   (Disabled by default, the global Mutex directive consolidates by
default
    #   this)
    #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache

    #   SSL Cipher Suite:

    #   List the ciphers that the client is permitted to negotiate. 

See the

    #   ciphers(1) man page from the openssl package for list of all
available
    #   options.
    #   Enable only secure ciphers:
    #SSLCipherSuite

HIGH:!aNULL:!ECDHE_RSA_WITH_AES_128_CBC_SHA256:!ECDHE_RSA_WITH_AES_256_CBC_SHA384:!ECDHE_RSA_WITH_AES_128_CBC_SHA:!ECDHE_RSA_WITH_AES_256_CBC_SHA:!DHE_RSA_WITH_AES_128_CBC_SHA256:!DHE_RSA_WITH_AES_128_CBC_SHA:!DHE_RSA_WITH_AES_256_CBC_SHA256:!DHE_RSA_WITH_AES_256_CBC_SHA:!RSA_WITH_AES_128_GCM_SHA256:!RSA_WITH_AES_256_GCM_SHA384:!RSA_WITH_AES_128_CBC_SHA256:!RSA_WITH_AES_256_CBC_SHA256:!RSA_WITH_AES_128_CBC_SHA:!RSA_WITH_AES_256_CBC_SHA 

    #SSLCipherSuite

EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 

    SSLCipherSuite

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 

    # SSL server cipher order preference:
    # Use server priorities for cipher algorithm choice.
    # Clients may prefer lower grade encryption.  You should enable this
    # option if you want to enforce stronger encryption, and can afford

    # the CPU cost, and did not override SSLCipherSuite in a way that 

puts

    # insecure ciphers first.
    # Default: Off
    SSLHonorCipherOrder on

    #   The protocols to enable.
    #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
    #   SSL v2  is no longer supported
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2

    #   Allow insecure renegotiation with clients which do not yet 

support

the
    #   secure renegotiation protocol. Default: Off
    #SSLInsecureRenegotiation on

    #   Whether to forbid non-SNI clients to access name based virtual
hosts.
    #   Default: Off
    #SSLStrictSNIVHostCheck On

    SSLCompression off

</IfModule>

As you can see I have tried several SSLCipherSuite options, but I cannot
remove those weak ciphers from my report (thereby failing my pentest).
It seems to me that the -TLSv1.2 is being ignored possibly?
I'm at a loss, so would appreciate some advice on how to configure this
please?

Thanks, Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Without examining all the ciphers you list in SSLCipherSuite, just 

taking a step back at:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
which disables TLSv1.2 protocol.

You state your SSL Labs report indicates:
TLS 1.2     Yes

So something doesn't seem right there.
Did you restart your apache server after the SSL config changes?

Do you perhaps have a WAF/reverse proxy sitting in front of your apache 

server that also needs to be configured?

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx