Proposed for backport on both 2.2 and 2.4 branches.
On Thu, May 14, 2015 at 1:44 PM, <wr...@apache.org> wrote: > Author: wrowe > Date: Thu May 14 18:44:52 2015 > New Revision: 1679428 > > URL: http://svn.apache.org/r1679428 > Log: > Conform to RFC 7525, with additional suggestion to drop RSA Kx ciphers > > Modified: > httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in > > Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1679428&r1=1679427&r2=1679428&view=diff > > ============================================================================== > --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original) > +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Thu May 14 > 18:44:52 2015 > @@ -43,22 +43,39 @@ Listen @@SSLPort@@ > ## > > # SSL Cipher Suite: > -# List the ciphers that the client is permitted to negotiate. > -# See the mod_ssl documentation for a complete list. > -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > +# List the ciphers that the client is permitted to negotiate, > +# and that httpd will negotiate as the client of a proxied server. > +# See the OpenSSL documentation for a complete list of ciphers, and > +# ensure these follow appropriate best practices for this deployment. > +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 > +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 > Here we simply drop RC4 as mentioned in RFC7525 (a MUST NOT), and extend the default list out to the proxy client behavior. The defaults for httpd-2.2 rely on ylavic's proposed 'mod_ssl: Improve handling of ephemeral DH and ECDH keys'... backport which addresses eNULL, aNULL and EXP in an unambiguous way. -# Speed-optimized SSL Cipher configuration: > -# If speed is your main concern (on busy HTTPS servers e.g.), > -# you might want to force clients to specific, performance > -# optimized ciphers. In this case, prepend those ciphers > -# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > -# Caveat: by giving precedence to RC4-SHA and AES128-SHA > -# (as in the example below), most connections will no longer > -# have perfect forward secrecy - if the server's key is > -# compromised, captures of past or future traffic must be > -# considered compromised, too. > -#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 > -#SSLHonorCipherOrder on > This is, as we discussed, simply eliminating the speed-optimized suggestions, let the user look elsewhere for [frequently updated] guidance. > +# By the end of 2016, only TLSv1.2 ciphers should remain in use. > +# Older ciphers should be disallowed as soon as possible, while the > +# kRSA ciphers do not offer forward secrecy. These changes inhibit > +# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy > +# non-browser tooling) from successfully connecting. > +# > +# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable > +# those protocols which do not support forward secrecy, replace > +# the SSLCipherSuite and SSLProxyCipherSuite directives above with > +# the following two directives, as soon as practical. > +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA > +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA > I used the !SSLv3 logic rather than explicitly calling out TLSv1.2 so we enjoy a better transition to TLSv1.3+. Since the proposal to suggest !kRSA is new, it deserves a brief word of explanation. RSA cipher negotiation remains valid. But signed RSA certificates must be exchanged using the ECDHE or ECDH in order to provide forward secrecy. This was proposed by Mark Thomas after evaluating how the Qualys SSL test behaved, resulting in upgrading from an A- to an A (where he enabled only HIGH grade ciphers and omitted MEDIUM). It is interesting that this wasn't part of their Dec '14 v1.4 guidance whitepaper, but I'm sure it will be clarified in future revisions. Only IE8 on XP is called out as requiring Kx=RSA with TLSv1.2 by default. in httpd-2.2, we may also wish to explicitly disable SSLv2 - notably for 3DES ciphers, but at the moment this is accomplished with !EXP:!kRSA (and by not including LOW grade ciphers). Just thinking that if the user enables kRSA they also may inadvertently re-allow 3DES which has only 112 effective bits of key strength, not the 168 claimed. +# User agents such as web browsers are not configured for the user's > +# own preference of either security or performance, therefore this > +# must be the prerogative of the web server administrator who manages > +# cpu load versus confidentiality, so enforce the server's cipher order. > +SSLHonorCipherOrder on > This also relies on guidance from RFC7525 > +# SSL Protocol support: > +# List the protocol versions which clients are allowed to connect with. > +# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be > +# disabled as quickly as practical. By the end of 2016, only the > TLSv1.2 > +# protocol or later should remain in use. > +SSLProtocol all -SSLv3 > +SSLProxyProtocol all -SSLv3 > The httpd 2.2 proposal already committed drops SSLv2 as well. I am all on board to now start ripping SSLv3 protocol and default to only TLSv1.2 ciphers, on trunk, once this config backport has been reviewed and committed.
