Join Log in
Score:0
Rever_2019 avatar Server

Remove old Cipher Suites

sx flag
Rever_2019

I manage some websites and one of them got a poor security rating (from sec scorecard). I have a managed server, so I asked the IT guys to help, but also would like to understand this issue a little more.

The problem is, there are old TLS1.0 and TLS1.1 Cipher Suites, like:

TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_3DES_EDE_CBC_SHA

My first thought, these must be located in the OpenSSL config files. But after some tutorials, I guess it refers to the Apache config. The httpd.conf (and virtual hosts) don't have cipher suites set explicitly. But the included httpd-ssl.conf has something.

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
 SSLCipherSuite  ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:!LOW:!MEDIUM:!3DES:!aNULL:!eNULL:!ADH:!DSS!EXP:!MD5:!PSK:!RC4:!SRP

What I dont understand currently: Is this the right place? Perhaps not or why does this read differently.

I read on ciphersuite.info the first ones above are IANA names (?) and there are OpenSSL names. But what is ECDH+AESGCM for example?

Could need some guidance on where to look next. Don't want copy & paste infos, but understand a little more on this topic. However, I am not the security or main IT guy, so I prefer not to read a 300 page book :-/

415
1 + 3
ssl
Rever_2019 avatar
sx flag
Rever_2019
Thanks. But as I understand "TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)" is also called a cipher suite. Right? Why does this not match with anything in my ssl-conf?
0
Reply
StackzOfZtuff avatar
us flag
StackzOfZtuff
Try Mozilla SSL Configuration Generator. It's a good place to get started: https://ssl-config.mozilla.org/
0
Reply
Score:1
Ja1024 avatar Server
pt flag
Ja1024

The SSLCipherSuite is the right directive for setting the cryptographic algorithms which should be used. In TLS 1.2, you're expected to set a combination of four algorithms (called a cipher suite):

  • A key exchange algorithm which is used to set up a shared secret between client and server. From the secret, both parties can then derive a key for symmetric encryption.
  • A signature algorithm for key exchange.
  • A symmetric-key algorithm to actually encrypt and decrypt the data which should be transmitted.
  • A hash algorithm which is used to ensure the integrity of messages (through a message authentication code) or construct a cryptographically secure pseudorandom number generator.

Each cipher suite has a unique identifier registered through the IANA and starting with TLS_. For example, there's TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 which stands for:

  • The key exchange algorithm is DHE, i. e. Diffie-Hellman key exchange with ephemeral keys.
  • The signature algorithm is RSA.
  • The symmetric cryptography algorithm is AES with 128 bit keys in GCM mode.
  • The hash algorithm is SHA-256.

OpenSSL as a provider of a concrete TLS implementation lets you choose IANA cipher suites through a custom format called “cipher list”. This format supports complex selection rules like ECDH+AESGCM which stands for all cipher suites containing both the algorithms ECDH (for key exchange) and AESGCM (for symmetric encryption). You can check the exact cipher suites you get with the command openssl ciphers "ECDH+AESGCM". In my case, the list includes, for example, the cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (or as OpenSSL calls it, ECDHE-ECDSA-AES128-GCM-SHA256).

The string ECDH+AESGCM itself is not a cipher suite. It's an OpenSSL-specific selection rule for cipher suites.

In practice, I would use a concrete list of secure cipher suites, e. g. the recommendations from Mozilla. With the OpenSSL selection rules, there's a risk you include cipher suites you didn't actually intend (even though you can always check the result with the openssl ciphers command mentioned above).

+ 1
Rever_2019 avatar
sx flag
Rever_2019
Thanks, your answer makes this more clear now. The cipher list link was useful! First half part I knew (kind of) but never reached the depth to get to how OpenSSL works. I am a Web Designer, not a security expert :-D
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.