Security

SSL Security Enhancements

June 2, 2015: Weak Diffie-Hellman LogJam Fix for Ubuntu 12.04 LTS

Run the below commands to patch Apache for the LogJam vulnerability. The latest updates bring ECDH to Ubuntu 12.04 LTS running Apache 2.2.x. Also, the 2048-bit group for Elliptical Curve Diffie-Hellman Encryption (ECDHE) is now supported.

$ sudo aptitude update
$ sudo aptitude upgrade

The Back Story: 1024-bit Diffie Hellman (DH) Primes

On May 20, 2015, the University of Michigan published a whitepaper stating cipher suites supporting 1024-bit DH primes may be susceptible to passive eavesdropping from an attacker with nation-state resources.1

Heads-up: There are several references in this post to “WeakDH.org.” That site is maintained by the University Of Michigan College of Engineering.

1. Identify and Patch Common Vulnerabilities

Test your SSL install for weaknesses via Qualys’ SSL tester: https://www.ssllabs.com/ssltest. Aim for a minimum score of “A”. To patch up your SSL install, edit your ssl.conf file using nano:

$ nano /etc/apache2/mods-available/ssl.conf

Scroll down and edit to match the below:

#Cypher Suite from https://weakdh.org/sysadmin.html#apache

SSLProtocol         ALL -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCipherSuite     ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLCompression Off

Here’s a quick explanation of what we’re doing and why:

  1. Permit all installed SSL protocols, then disable SSLv2 (FUBAR exploit) and SSLv3 (POODLE exploit)
  2. Honor the proceeding ciphers in the order they are given (i.e., their fallback sequencing)
  3. Declare the chain of ciphers to use and exclude. We used the Apache suite from weakdh.org/sysadmin.html#apache
  4. “!” means do not use as a fallback. See Remy van Elst’s or Hynek’s blog for explanations.
  5. NOTE: TLS compression is off by default in all Apache 2.2.x versions (and later) running on Ubuntu (to block the CRIME exploit). Upshot: SSLCompression Off is not needed if you’re using Ubuntu
  6. Optional but useful sundries:
    • Confirm your version of Apache with 
      $ apache2 -v
    • Confirm your version of OpenSSL with 
      $ openssl version -a
      Be aware that versions of OpenSSL built before April 7, 2014 are vulnerable to the Heartbleed exploit

2. Turn on HTTP Strict Transport Security (HSTS)

HSTS is always-on HTTPS. This tutorial on IT igloo sums up how to configure HSTS on Apache and Nginx. However, be sure to append the preload directive to both the Apache and Nginx versions.

What Does Preload Do?

The OWASP Wiki on HSTS provides the ansswer:
The `preload` flag indicates the site owner’s consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the [HSTS preload list maintained by Chrome (and used by Firefox and Safari)].
Preloading for Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Preloading for Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

3. Test and Verify

Go to SSLlabs and test your certificate install. Aim for an A+.