More secure SSL CipherSuites

phonon112358 · February 7, 2017, 10:56pm

Continuing the discussion from Letsencrypt certificate produces SSL error:

NethServer Version: v7
Module: ssl

I would propose to change the CipherSuites in /etc/httpd/conf.d/ssl.conf and /etc/httpd/admin-conf/httpd.conf and disabling SSL3 in the former:

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

This would make the module much more secure against ssl attacks (cf. https://weakdh.org/sysadmin.html).

davidep · February 8, 2017, 8:24am

We had long discussion in the past about httpd(-admin) ciphers. Please search this form for them!

IIRC for httpd we decided to respect the upstream default. However it’s possible for the admin to harden the cipher suite with a couple of commands. About httpd-admin, we can improve the default as we like: your suggestion is very welcome!