Package: apache2.2-common Version: 2.2.9-10+lenny9 Severity: wishlist Tags: security
The default SSL configuration found on lenny (and - without having checked - I think on squeeze and sid, too) is to use this cipher suite: SSLCipherSuite HIGH:MEDIUM:!ADH Lenny's openssl 0.9.8g-15+lenny11 makes this: > $ openssl ciphers -v 'HIGH:MEDIUM:!ADH' > DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 > DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 > DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 > DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 > EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 > EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 > DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 > DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 > RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 > RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 > RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 > RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 This includes SSLv2 ciphers, ciphers with MD5 based MAC, and ciphers are returned in no particular order. While SSLv2 ciphers are factually disabled by a separate mod_ssl directive of SSLProtocol all -SSLv2 it would seem nicer to disable it wherever possible to make it clear they are not to be supported. I recommend to use the following cipher suite for mod_ssl on Debian, and would like to suggest that Debian should use this by default in Lenny and later releases: SSLCipherSuite HIGH:MEDIUM:!SSLv2:!aNULL:!MD5:@STRENGTH This results in a much improved cipher list: > $ openssl ciphers -v 'HIGH:MEDIUM:!SSLv2:!aNULL:!MD5:@STRENGTH' > DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 > DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 > EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 > EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 > DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 > DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 > DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 > RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 At the same time, and this is important when picking a cipher suite, it is somewhat future proof. While an approach of specifically whitelisting or blacklisting ciphers could be better, this would require the server administrator(s) (and/or package maintainer(s)) to continuously keep up to speed by following the latest developments in cryptanalysis. On the contrary, the approach suggested here is universal, disables only what is known to be unsafe, and otherwise relies on the expertise of OpenSSL upstream. Tests I've run for some months now indicate that the suggested ciphersuite does not shut out common clients. I also recommend to add this additional statement to ssl.conf: # Server, not client, decides on cipher order -> enforce @STRENGTH SSLHonorCipherOrder on Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
