Security/Server Side TLS: Difference between revisions

Jump to navigation Jump to search

Security/Server Side TLS (view source)

Revision as of 21:37, 14 October 2013

104 bytes added ,  14 October 2013
no edit summary
No edit summary
No edit summary
Line 127: Line 127:


# ECDHE+AESGCM ciphers are selected first. These are TLS 1.2 ciphers and not widely supported at the moment. No known attack currently target these ciphers.
# ECDHE+AESGCM ciphers are selected first. These are TLS 1.2 ciphers and not widely supported at the moment. No known attack currently target these ciphers.
# PFS ciphersuites are preferred, with ECDHE first, then DHE.
# [[#Forward_Secrecy|PFS]] ciphersuites are preferred, with ECDHE first, then DHE.
# AES 128 is preferred to AES 256. There has been [[http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html discussions]] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
# AES 128 is preferred to AES 256. There has been [[http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html discussions]] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
# AES is preferred to RC4. [[#Attacks_on_TLS|BEAST]] attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In comparison, attacks on RC4 are not mitigated and likely to become more and more dangerous.
# AES is preferred to RC4. [[#Attacks_on_TLS|BEAST]] attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In comparison, attacks on RC4 are not mitigated and likely to become more and more dangerous.
Line 190: Line 190:


= Recommended Server Configurations =
= Recommended Server Configurations =
== Nginx ==
Nginx provides the best TLs support at the moment. It is the only daemon that provides OCSP Stapling, custom DH parameters, and the full flavor of TLS versions (from OpenSSL).
The detail of each configuration parameter is explained at the end of this document.
<pre>
server {
    listen 443;
    ssl on;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers '<recommended ciphersuite from top of this page>';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:NginxCache123:50m;
    # Enable this if your want HSTS (recommended, but be careful)
    # add_header Strict-Transport-Security max-age=15768000;
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    resolver <IP DNS resolver>;
    ....
}
</pre>
== Apache ==
In Apache 2.4.6, the DH parameter is always set to 1024 bits and is not user configurable. Future versions of Apache will automatically select a better value for the DH parameter.
The configuration below is recommended, it enabled OCSP stapling.
<pre>
<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile  /path/to/private/key
    SSLCACertificateFile    /path/to/all_ca_certs
    SSLProtocol            all -SSLv2 -SSLv3
    SSLCipherSuite          <recommended ciphersuite from top of this page>
    SSLHonorCipherOrder    on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)
    # Enable this if your want HSTS (recommended, but be careful)
    # Header add Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>
</pre>
== Haproxy ==
SSL support in Haproxy is still Beta and shouldn't be used to terminate production SSL traffic.
Haproxy lacks support for OCSP Stapling. All other features are available, including custom dhparams.
<pre>
frontend ft_test
  mode    http
  bind    0.0.0.0:443 ssl crt /path/to/<cert+privkey+intermediate+dhparam> ciphers <recommended_ciphersuite>
  # Enable this if your want HSTS (recommended, but be careful)
  # rspadd  Strict-Transport-Security:\ max-age=15768000
</pre>
== Stud ==
Stud is a lightweight SSL termination proxy. It's basically a wrapper for OpenSSL. Stud is not being heavily developed, and features such as OCSP stapling are missing. But it is very lightweight and efficient, and with a recent openssl, supports all the TLS 1.2 ciphers.
<pre>
# SSL x509 certificate file. REQUIRED.
# List multiple certs to use SNI. Certs are used in the order they
# are listed; the last cert listed will be used if none of the others match
#
# type: string
pem-file = "<concatenate cert + privkey + dhparam>"
# SSL protocol.
#
tls = on
ssl = on
# List of allowed SSL ciphers.
#
# Run openssl ciphers for list of available ciphers.
# type: string
ciphers = "<recommended ciphersuite from top of this page>"
# Enforce server cipher list order
#
# type: boolean
prefer-server-ciphers = on
</pre>
== Zeus (Riverbed Stingray) ==
== Zeus (Riverbed Stingray) ==
Zeus lacks support for TLS1.2, Elliptic Curves, AES-GCM and OCSP Stapling.
Zeus lacks support for TLS1.2, Elliptic Curves, AES-GCM and OCSP Stapling.
Line 274: Line 381:
     Push Encryption Trigger: Always
     Push Encryption Trigger: Always
     Send Close-Notify: YES
     Send Close-Notify: YES
</pre>
== Apache ==
In Apache 2.4.6, the DH parameter is always set to 1024 bits and is not user configurable. Future versions of Apache will automatically select a better value for the DH parameter.
The configuration below is recommended, it enabled OCSP stapling.
<pre>
<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile  /path/to/private/key
    SSLCACertificateFile    /path/to/all_ca_certs
    SSLProtocol            all -SSLv2 -SSLv3
    SSLCipherSuite          <recommended ciphersuite from top of this page>
    SSLHonorCipherOrder    on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)
    # Enable this if your want HSTS (recommended, but be careful)
    # Header add Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>
</pre>
== Nginx ==
Nginx provides the best TLs support at the moment. It is the only daemon that provides OCSP Stapling, custom DH parameters, and the full flavor of TLS versions (from OpenSSL).
The detail of each configuration parameter is explained at the end of this document.
<pre>
server {
    listen 443;
    ssl on;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers '<recommended ciphersuite from top of this page>';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:NginxCache123:50m;
    # Enable this if your want HSTS (recommended, but be careful)
    # add_header Strict-Transport-Security max-age=15768000;
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    resolver <IP DNS resolver>;
    ....
}
</pre>
== Haproxy ==
SSL support in Haproxy is still Beta and shouldn't be used to terminate production SSL traffic.
<pre>
frontend ft_test
  mode    http
  bind    0.0.0.0:443 ssl crt /etc/ssl/private/<concat cert + privkey> ciphers <recommended ciphersuite from top of this page>
  # Enable this if your want HSTS (recommended, but be careful)
  # rspadd  Strict-Transport-Security:\ max-age=15768000
</pre>
== Stud ==
Stud is a lightweight SSL termination proxy. It's basically a wrapper for OpenSSL. Stud is not being heavily developed, and features such as OCSP stapling are missing. But it is very lightweight and efficient, and with a recent openssl, supports all the TLS1.2 ciphersuites.
<pre>
# SSL x509 certificate file. REQUIRED.
# List multiple certs to use SNI. Certs are used in the order they
# are listed; the last cert listed will be used if none of the others match
#
# type: string
pem-file = "<concatenate cert + privkey + dhparam>"
# SSL protocol.
#
tls = on
ssl = on
# List of allowed SSL ciphers.
#
# Run openssl ciphers for list of available ciphers.
# type: string
ciphers = "<recommended ciphersuite from top of this page>"
# Enforce server cipher list order
#
# type: boolean
prefer-server-ciphers = on
</pre>
</pre>


Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/728818"

Navigation menu