Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 728066

Summary: www-servers/apache: upgrade TLS protocols in 00_default_ssl_vhost.conf
Product: Gentoo Linux Reporter: Tomáš Mózes <hydrapolic>
Component: Current packagesAssignee: Apache Team - Bugzilla Reports <apache-bugs>
Status: CONFIRMED ---    
Severity: normal CC: apache-bugs, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Tomáš Mózes 2020-06-12 13:35:43 UTC 
Please consider upgrading the default SSL vhost to Mozilla intermediate (TLS 1.2+):

--- 00_default_ssl_vhost.conf.virgin    2020-01-16 12:23:58.640846438 +0000
+++ 00_default_ssl_vhost.conf   2020-06-12 13:30:46.388679295 +0000
@@ -24,19 +24,19 @@
        ## SSLProtocol:
        # Don't use SSLv2 anymore as it's considered to be broken security-wise.
        # Also disable SSLv3 as most modern browsers are capable of TLS.
-       SSLProtocol ALL -SSLv2 -SSLv3
+       SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 
        ## SSL Cipher Suite:
        # List the ciphers that the client is permitted to negotiate.
        # See the mod_ssl documentation for a complete list.
        # This list of ciphers is recommended by mozilla and was stripped off
        # its RC4 ciphers. (bug #506924)
-       SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+       SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
        ## SSLHonorCipherOrder:
        # Prefer the server's cipher preference order as the client may have a
        # weak default order.
-       SSLHonorCipherOrder On
+       SSLHonorCipherOrder Off
 
        ## Server Certificate:
        # Point SSLCertificateFile at a PEM encoded certificate. If the certificate
Comment 1 Tomáš Mózes 2021-08-12 20:52:31 UTC 
Ping
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2021-08-12 21:03:03 UTC 
(In reply to Tomáš Mózes from comment #0)
>         ## SSLHonorCipherOrder:
>         # Prefer the server's cipher preference order as the client may have
> a
>         # weak default order.
> -       SSLHonorCipherOrder On
> +       SSLHonorCipherOrder Off
>  
>         ## Server Certificate:
>         # Point SSLCertificateFile at a PEM encoded certificate. If the
> certificate

Why do you flip this one?
Comment 3 Tomáš Mózes 2021-08-12 22:49:20 UTC 
(In reply to Lars Wendler (Polynomial-C) from comment #2)
> (In reply to Tomáš Mózes from comment #0)
> >         ## SSLHonorCipherOrder:
> >         # Prefer the server's cipher preference order as the client may have
> > a
> >         # weak default order.
> > -       SSLHonorCipherOrder On
> > +       SSLHonorCipherOrder Off
> >  
> >         ## Server Certificate:
> >         # Point SSLCertificateFile at a PEM encoded certificate. If the
> > certificate
> 
> Why do you flip this one?

By default it's disabled https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder

And also here https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6

Seems like it's only enabled for "old" mozilla ssl profile (not for intermediate nor modern).
Comment 4 Hans de Graaff gentoo-dev Security 2021-08-13 07:08:20 UTC 
It is better to let the client choose the cipher based on its capabilities, for example because the client doesn't have AES hardware capabilities and CHACHA20 may be a better choice.

This should only be done when all ciphers are considered strong enough, but that is the case with this patch.

I'm wondering if we should keep the DHE-* ciphers at all. They don't add any additional value (since the ECDHE-* ciphers will be used in most cases) and the DH part is beginning to be suspect and starting to pop up in reports now.
Comment 5 Tomáš Mózes 2021-08-14 07:40:09 UTC 
Our default configuration matches mozilla-old configuration suggestions, if there is no strong reason we should upgrade to something more up to date. I believe mozilla's intermediate level is a good start.