Topic: Disabling Cipher Suites

[unixnut]

Hi,

First post for a looooong time

I ran ssllabs.com against one of my SME8beta1 machines and it complained about 3 insecure ciphers.

Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)    128   
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS      128   
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34)   INSECURE      128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)    168   
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS      168   
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b)   INSECURE      168
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)    256   
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS      256   
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a)   INSECURE      256

Two questions really:

1. Would it cause major problems to remove support for the three anon ciphers ?
2. If not, how would that be achieved please ?

Thanks

[janet]

unixnut

This information & query is best posted to Bugzilla under Security category or similar.
A link to bugs is at top of Forums.
The devs will assess if indeed there is a security issue & advise accordingly.
It's possible that ssllabs.com is finding false positives.

[mmccarn]

1. Will it cause problems to make changes?
I don't know.

2. How would you change the ciphersuite setting?

On my SME 8 server, it looks like I can change this line in /etc/httpd/conf/httpd.conf:
SSLCipherSuite HIGH:!SSLv2

...and this line in /var/service/qpsmtpd/config/tls_ciphers:
HIGH:!SSLv2

By setting this db variable:
config setprop modSSL CipherSuite 'valid-ciphersuite-string-here'
(note that you can override the 'modSSL' CipherSuite setting for qpsmtpd using config setprop qpsmtpd tlsCipher 'valid-ciphersuite-string-here')

On my sme 8.0 system I get the values below (my CipherSuite may already be customized):

Code: [Select]

# config show modSSL
modSSL=service
    CipherSuite=HIGH:!SSLv2
    TCPPort=443
    access=public
    status=enabled

More on setting the apache mod_ssl SSLCipherSuite directive can be found here:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

[unixnut]

Apologies janet if I posted in the wrong place.
I wanted to see whether anyone else had found the same before considering it a general issue.

mmcarn my settings are the same as yours. The check is also repeatable by anyone with a public facing SME server.

Googling for the anon cipher finds a number of hits and this one shows it as not secure due to no key exchange between client and server.
http://www.techstacks.com/howto/j2se5_ssl_cipher_strength.html

Looks to me that the ssllabs.com failure is not a false positive, so I'd like to remove that cipher option.

[wellsi]

Please raise a bug, set the security flag and we can decide the best way to proceed.

Also refer to Bug 7026 which last changed these settings

= Suggested release notes:
Make CipherSuite secure by default and tls ciphers defaults to disallow SSLv2

there are two DB properties:
modSSL CipherSuite affects BOTH SMTPS & HTTPS, set by default.
qpsmtpd tlsCipher only affects SMTPS, does not exist as a default

[unixnut]

Submitted.
Bug 7916
Thanks

[mmccarn]

Bug 7916 updated.

[unixnut]

Perfect !

Repeated the same on my system

Thanks for looking into it 

[wellsi]

The latest from the bug is this as the solution:

config setprop modSSL CipherSuite 'HIGH:!SSLv2:!ADH'
signal-event remoteaccess-update


It will take a little longer to release.

Thanks for raising the issue, and creating the bug.