[BlueOnyx:21857] Re: new SSLCipherSuite

Michael Stauber mstauber at blueonyx.it
Wed Mar 14 19:13:23 -05 2018 

Hi all,

I'm now publishing updated base-admserv and base-apache RPMs for 5207R,
5208R and 5209R.

These introduce stronger 'SSLCipherSuite' for HTTPS connections, which
remove the weaker Diffie-Hellman ciphers.

The new 'SSLCipherSuite' is this:

SSLCipherSuite
AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH:!aNULL:!eNULL:!NULL:!EXPORT:!IDEA:!3DES:!DES:!MD5:!PSK:!RC4:@STRENGTH

I briefly contemplated to throw out AES128 support as well (we're using
and preferring AES256), but I left it in for now. The 'SSLCipherSuite'
without AES128 would have looked this way:

SSLCipherSuite
AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!NULL:!EXPORT:!IDEA:!3DES:!DES:!MD5:!PSK:!RC4:!AES128:@STRENGTH

According to SSLlabs this gives us the following cipher suites for
TLSv1.2 and TLSv1.2 in the following preferred order:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    ECDH secp256r1 FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 4096 bits   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   DH 4096 bits   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA      DH 4096 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    ECDH secp256r1 FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 4096 bits   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256   DH 4096 bits   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA      DH 4096 bits   FS 128

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    ECDH secp256r1 FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA      DH 4096 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    ECDH secp256r1 FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA      DH 4096 bits   FS 128

Means: If the browser supports the topmost cipher, it'll use it. If not,
it picks the topmost one from the list that it supports.

We retain the solid "A" rating with HSTS off and get an "A+" if HSTS is
turned on. Removing the AES128 ciphers had no real measurable impact on
the rating.

PLEASE NOTE:
=============

This update will not update the 'SSLCipherSuite' settings for existing
Vsites. If you want to have them updated, you can run this script as "root":

/usr/sausalito/sbin/SSL_fixer.pl

It will toggle SSL off and on for all SSL enabled Vsites, forcing the
GUI to write out the new configuration. I decided against letting the
update do this automatically as this is something that ideally the admin
should do himself when it suits him best.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list