[BlueOnyx:21858] Re: new SSLCipherSuite

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Fri Mar 16 03:15:52 -05 2018 

Hello Michael,

A-rating is back ;)
Thank you for your investigations and the efforts.

Best regards,
Dirk

---

blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel


-----Ursprüngliche Nachricht-----
Von: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Michael Stauber
Gesendet: Donnerstag, 15. März 2018 01:13
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:21857] Re: new SSLCipherSuite

Hi all,

I'm now publishing updated base-admserv and base-apache RPMs for 5207R,
5208R and 5209R.

These introduce stronger 'SSLCipherSuite' for HTTPS connections, which
remove the weaker Diffie-Hellman ciphers.

The new 'SSLCipherSuite' is this:

SSLCipherSuite
AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH:!aNULL:!eNULL:!NULL:!EXPORT:!IDEA:!3DES:!DES:!MD5:!PSK:!RC4:@STRENGTH

I briefly contemplated to throw out AES128 support as well (we're using
and preferring AES256), but I left it in for now. The 'SSLCipherSuite'
without AES128 would have looked this way:

SSLCipherSuite
AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!NULL:!EXPORT:!IDEA:!3DES:!DES:!MD5:!PSK:!RC4:!AES128:@STRENGTH

According to SSLlabs this gives us the following cipher suites for
TLSv1.2 and TLSv1.2 in the following preferred order:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    ECDH secp256r1 FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 4096 bits   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   DH 4096 bits   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA      DH 4096 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    ECDH secp256r1 FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 4096 bits   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256   DH 4096 bits   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA      DH 4096 bits   FS 128

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    ECDH secp256r1 FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA      DH 4096 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    ECDH secp256r1 FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA      DH 4096 bits   FS 128

Means: If the browser supports the topmost cipher, it'll use it. If not,
it picks the topmost one from the list that it supports.

We retain the solid "A" rating with HSTS off and get an "A+" if HSTS is
turned on. Removing the AES128 ciphers had no real measurable impact on
the rating.

PLEASE NOTE:
=============

This update will not update the 'SSLCipherSuite' settings for existing
Vsites. If you want to have them updated, you can run this script as "root":

/usr/sausalito/sbin/SSL_fixer.pl

It will toggle SSL off and on for all SSL enabled Vsites, forcing the
GUI to write out the new configuration. I decided against letting the
update do this automatically as this is something that ideally the admin
should do himself when it suits him best.

-- 
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list