TLS 1.0 and TLS 1.1 protocols removal

River_Mersey · December 16, 2019, 12:13am

Hi,

Having used NS for over a year, I found that last week it fell-over and died - reason unknown! On a daily basis it was successfully defending against typically 2,000+ failed log-ins. Maybe one of these were eventually successful?

Anyway, having reinstalled and tested a new NS, I find this 2 minute test of my NS: https://www.ssllabs.com/ssltest/analyze.html?d=therivermersey.com . Presently, the NS achieves an overall score of “A” - which is VERY good! However, the testing system will down-rate that same set-up to “B” next month purely because NS still supports TLS 1.0 & TLS 1.1 ( https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols?_ga=2.85012249.1265987208.1576420553-952891402.1576420553 )

Could the developers consider making available a menu of check-boxes for users to selectively choose which TLS versions are available on their NS installations, please?

With that and a few other “tweaks”, it might be possible to get a NS installation to be rated “A+”!

Many thanks

davidep · December 16, 2019, 8:55am

You’re right, it’s time to update our TLS policy.

However we can do it by following our approach and releasing a new “TLS policy” number. Thus I’d avoid adding UI checkboxes to disable specific protocols.

If we are smart enough we’ll do it for every TLS-based service on NethServer 7.7. Let’s start experimenting.

I moved your post to a new thread, because I’m afraid that TLS policy and PCI compliance are still far to find an agreement!

I hope this makes a step forward in that direction though

River_Mersey · December 16, 2019, 11:31am

Hi, many thanks for your reply.

My reason for asking for option boxes on each policy is that it would allow each NS installation to be tailored as needed for TLS.

Some users might require choose to offer the support of TLS 1.0 whereas others might prefer to have a tighter/stricter installation that has TLS 1.0 and 1.1 turned off. As mentioned in my previous post, supporting TLS 1.0 and 1.1 from next month will harm the security rating of any such system from next month onwards.

davidep · December 16, 2019, 11:37am

Ok, we can also split the upgrade in two distinct policies: the first one disables 1.0, the second one (also) 1.1, so that everyone can gradually enforce the new security trends.

To save development and QA times, both will be tested and released together.

What do you think?

River_Mersey · December 16, 2019, 12:06pm

Hi,

Well we already have menus for users to select options on say, samba and the associated scripts - would it be overly difficult to do something similar as a TLS policy sub menu?

A radio button could select between your preference of it being handled fully automatically or a manual option would then allow the specific selections of the various policies?

The River Mersey

Neustradamus · December 16, 2019, 3:28pm

+1 (XMPP too)

https://tls.imirhil.fr/
https://xmpp.net/
…

stephdl · April 14, 2020, 8:37am

a drop down menu will make some extras work to design again the UI, two options in the drop down is better

stephdl · April 15, 2020, 2:42pm

stephdl · May 19, 2020, 4:19pm

This is the first PR

@danb35 @davidep what do you think

we remove a lot of bad ciphers if we refer to testssl

 [root@ns7loc8 testssl.sh]#     ./testssl.sh 127.0.0.1:443

###########################################################
    testssl.sh       3.1dev from https://testssl.sh/dev/
    (e87880e 2020-05-18 14:39:33 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
 on ns7loc8:./bin/openssl.Linux.x86_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")


 Start 2020-05-19 19:32:28        -->> 127.0.0.1:443 (127.0.0.1) <<--

 rDNS (127.0.0.1):       localhost.nethservertest.org.
 Service detected:       HTTP


 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing cipher categories 

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
 Triple DES Ciphers / IDEA                         not offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)


 Testing server's cipher preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Cipher per protocol

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 - 
SSLv3
 - 
TLSv1
 - 
TLSv1.1
 - 
TLSv1.2 (server order)
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
TLSv1.3
 - 


 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 

 FS is offered (OK)           ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 
 Elliptic curves offered:     secp256k1 prime256v1 secp384r1 secp521r1 
 DH group offered:            RFC3526/Oakley Group 14 (2048 bits)

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
 Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits (exponent is 65537)
 Server key usage             --
 Server extended key usage    --
 Serial / Fingerprints        5ACE7E3E / SHA1 965A4F17BC6CD35B4E198483144ED2C363EE273E
                              SHA256 1DBA935327C67752C592B122E17B63F1D5A0E5092E99B5BD5A6D4E8A16949B1B
 Common Name (CN)             NethServer 
 subjectAltName (SAN)         missing (NOT ok) -- Browsers are complaining
 Issuer                       NethServer (Example Org from --)
 Trust (hostname)             certificate does not match supplied URI
 Chain of trust               NOT ok (self signed)
 EV cert (experimental)       no 
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   2881 >= 60 days (2018-04-11 23:29 --> 2028-04-08 23:29)
                              >= 10 years is way too long
 # of certificates provided   1
 Certificate Revocation List  --
 OCSP URI                     --
                              NOT ok -- neither CRL nor OCSP URI provided
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     --


 Testing HTTP header response @ "/" 

 HTTP Status Code             403 Forbidden
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
 Application banner           --
 Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
 Security headers             --
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), timed out
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=1DBA935327C67752C592B122E17B63F1D5A0E5092E99B5BD5A6D4E8A16949B1B could help you to find out
 LOGJAM (CVE-2015-4000), experimental      common prime with 2048 bits detected: RFC3526/Oakley Group 14 (2048 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Running client simulations (HTTP) via sockets 

 Android 4.4.2                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 6.0                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 8.1 (native)         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 9.0 (native)         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 10.0 (native)        TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Chrome 74 (Win 10)           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Chrome 79 (Win 10)           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Firefox 66 (Win 8.1/10)      TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Firefox 71 (Win 10)          TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 IE 6 XP                      No connection
 IE 8 Win 7                   No connection
 IE 8 XP                      No connection
 IE 11 Win 7                  TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Edge 17 (Win 10)             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Opera 66 (Win 10)            TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Safari 9 iOS 9               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Safari 9 OS X 10.11          TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Safari 10 OS X 10.12         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Safari 12.1 (iOS 12.2)       TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Safari 13.0 (macOS 10.14.6)  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Apple ATS 9 iOS 9            TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8u161                   TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Java 12.0.1 (OpenJDK)        TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.1.1d (Debian)      TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Thunderbird (68.3)           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)


 Rating (experimental) 

 Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  0 (0)
 Key Exchange     (weighted)  0 (0)
 Cipher Strength  (weighted)  0 (0)
 Final Score                  0
 Overall Grade                T
 Grade cap reasons            Grade capped to T. Issues with certificate (self signed)
                              Grade capped to M. Domain name mismatch
                              Grade capped to A. Uses known DH key exchange parameters
                              Grade capped to A. HSTS is not offered

 Done 2020-05-19 19:33:41 [  75s] -->> 127.0.0.1:443 (127.0.0.1) <<--

danb35 · May 19, 2020, 6:35pm

That report is looking good. Specific to HSTS, I would not enable it by default–too much risk of losing access to your site if something goes wrong with your TLS configuration (like your cert doesn’t renew). But it’d be nice, if it isn’t already there, to have a property to enable it.

stephdl · May 19, 2020, 6:37pm

In fact it will be an optional new tls policy, the sysadmin must enable it on his own. I used a default certificate, I think the score will be better with a letsencrypt certificate

danb35 · May 19, 2020, 6:43pm

It would, and also better with accessing it by hostname. I do think HSTS should be available, but it shouldn’t be a default part of any TLS policy–that should be a separate configuration item.

River_Mersey · May 20, 2020, 4:22am

Woohoo!

About 6 months ago I requested the option of disabling tls1.0 and tls1.1 on the basis that the server security testing sites were weighting against servers supporting these standards - now it seems to be happening. And therefore these same testing sites will
report NethServers as being A+ secure again!

carsten · June 1, 2020, 5:38am

How to have nethserver activate and install these prerelease versions?

carsten · June 1, 2020, 6:35am

TLS 1.3 should be supported also.
Also, it should also be possible to have a policy with only STRONG ciphers and key exchanges, i.e. those which are not flagged WEAK by https://www.ssllabs.com/ssltest

davidep · June 1, 2020, 7:39am

Would you like to test the upcoming packages and help the quality process?

You can install the testing packages with the following command (in a testing system):

yum --enablerepo=nethserver-testing update neth\*

Then select the new policy 2020-05-10 in the TLS policy page, as usual.

You could then run your favorite TLS checking tools and post here the results!

danb35 · June 1, 2020, 11:24am

I don’t believe that’s possible with the software versions from upstream.

carsten · June 1, 2020, 11:37am

Apache 2.4.36+ is needed. Is it not possible to upgrade Apache to this version?

danb35 · June 1, 2020, 11:38am

No, it isn’t. We use primarily software packages from upstream, and they keep the same versions throughout the release cycle (backporting any security fixes) for the sake of stability and compatibility.

stephdl · June 6, 2020, 5:37am

Released, you have a new tls policy 20200510 only tls1.2

As ever when we enforce tls, older client like XP, won’t connect