SSL Security Enhancements
June 2, 2015: Weak Diffie-Hellman LogJam Fix for Ubuntu 12.04 LTS
Run the below commands to patch Apache for the LogJam vulnerability. The latest updates bring ECDH to Ubuntu 12.04 LTS running Apache 2.2.x. Also, the 2048-bit group for Elliptical Curve Diffie-Hellman Encryption (ECDHE) is now supported.
$ sudo aptitude update $ sudo aptitude upgrade
The Back Story: 1024-bit Diffie Hellman (DH) Primes
On May 20, 2015, the University of Michigan published a whitepaper stating cipher suites supporting 1024-bit DH primes may be susceptible to passive eavesdropping from an attacker with nation-state resources.1
Heads-up: There are several references in this post to “WeakDH.org.” That site is maintained by the University Of Michigan College of Engineering.
1. Identify and Patch Common Vulnerabilities
Test your SSL install for weaknesses via Qualys’ SSL tester: https://www.ssllabs.com/ssltest. Aim for a minimum score of “A”. To patch up your SSL install, edit your
ssl.conf file using nano:
$ nano /etc/apache2/mods-available/ssl.conf
Scroll down and edit to match the below:
#Cypher Suite from https://weakdh.org/sysadmin.html#apache SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLCompression Off
Here’s a quick explanation of what we’re doing and why:
- Permit all installed SSL protocols, then disable SSLv2 (FUBAR exploit) and SSLv3 (POODLE exploit)
- Honor the proceeding ciphers in the order they are given (i.e., their fallback sequencing)
- Declare the chain of ciphers to use and exclude. We used the Apache suite from weakdh.org/sysadmin.html#apache
- “!” means do not use as a fallback. See Remy van Elst’s or Hynek’s blog for explanations.
- NOTE: TLS compression is off by default in all Apache 2.2.x versions (and later) running on Ubuntu (to block the CRIME exploit). Upshot:
SSLCompression Offis not needed if you’re using Ubuntu
- For non-Ubuntu installs, TLS compression is off by default in Apache 2.2.24 and later as well as in Apache 2.4.3 and later. Change history is in the Apache bug tracker
- Confirm your version of Apache with
$ apache2 -v
- Confirm your version of OpenSSL with
$ openssl version -aBe aware that versions of OpenSSL built before April 7, 2014 are vulnerable to the Heartbleed exploit
2. Turn on HTTP Strict Transport Security (HSTS)
HSTS is always-on HTTPS. This tutorial on IT igloo sums up how to configure HSTS on Apache and Nginx. However, be sure to append the
preload directive to both the Apache and Nginx versions.
What Does Preload Do?The OWASP Wiki on HSTS provides the ansswer:
The `preload` flag indicates the site owner’s consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the [HSTS preload list maintained by Chrome (and used by Firefox and Safari)].
Preloading for Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains
Preloading for Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains
3. Test and Verify
Go to SSLlabs and test your certificate install. Aim for an A+.