Opened 12 months ago

Last modified 7 months ago

#32351 needs_revision task

review our ssl ciphers suite

Reported by: anarcat Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We currently use magic incantation from the Mozilla SSL observatory in our Apache (and now nginx, see #32239) installations. We should review it and see if it's still relevant. It seems we're using the suites as per the Mozilla observatory, but since we're upgrading to buster, it might be worth upgrading our suite a little.

The documentation in the file mentions those URLs:

https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.0.2l&hsts=yes&profile=intermediate
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate

But that's *two* lists... maybe what we have is the merged one?

In any case, this probably needs a kick. The list was created in 2014 and last touched in 2018, according to the comments in the apache config.

Unless we have per openssl-version configs, this will have to wait until #29399 is done at least.

Child Tickets

Change History (5)

comment:1 Changed 11 months ago by anarcat

comment:2 Changed 8 months ago by weasel

not just the cipher suites, but also the protocols.

[copying from #33591]:
I think we should disable these old protocols.

This would additionally break, if I read https://www.ssllabs.com/ssltest/ right (I am comparing old www.debian.org with post-change www.debian.org):

# Not simulated clients (Protocol mismatch)
Android 2.3.7 No SNI 2 Protocol mismatch (not simulated)
Android 4.0.4 Protocol mismatch (not simulated)
Android 4.1.1 Protocol mismatch (not simulated)
Android 4.2.2 Protocol mismatch (not simulated)
Android 4.3 Protocol mismatch (not simulated)
Baidu Jan 2015 Protocol mismatch (not simulated)
IE 7 / Vista Protocol mismatch (not simulated)
IE 8-10 / Win 7 R Protocol mismatch (not simulated)
IE 10 / Win Phone 8.0 Protocol mismatch (not simulated)
Java 7u25 Protocol mismatch (not simulated)
OpenSSL 0.9.8y Protocol mismatch (not simulated)
Safari 5.1.9 / OS X 10.6.8 Protocol mismatch (not simulated)
Safari 6.0.4 / OS X 10.8.4 R Protocol mismatch (not simulated)

Safari 6 / iOS 6.0.1 Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1 R Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9 R Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4 R Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10 R Server sent fatal alert: handshake_failure
IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure

the following already don't work:
IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure
Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits
IE 6 / XP No FS 1 No SNI 2 Protocol mismatch (not simulated)

this is the debian.org diff, tor's would be very similar:

--- a/modules/apache2/templates/puppet-config.erb
+++ b/modules/apache2/templates/puppet-config.erb
@@ -1,13 +1,11 @@
 <IfModule mod_ssl.c>
-  SSLProtocol all -SSLv2 -SSLv3
-  SSLHonorCipherOrder On
-
-  # this is a list that seems suitable as of 2014-10, when running wheezy.  It
-  # probably requires re-visiting regularly.
-  # 2018-07-17
-  #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.0.2l&hsts=yes&profile=intermediate
-  #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate
-  SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+  # this is a list that seems suitable as of 2020-03, when running buster
+  # (Debian 10).  It probably requires re-visiting regularly.
+  # 2020-03-11
+  #  https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.4
+  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+  SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  SSLHonorCipherOrder     off
 
   SSLUseStapling On

comment:3 Changed 8 months ago by anarcat

i believe weasel made this change in our global apache config and fixed the puppetmaster so it also respects that setting.

the number of remaining TLS setups requiring a review is currently undocumented, but it also includes, at least:

  • ipsec?
  • haproxy (configured in modules/roles/templates/onionoo/haproxy.cfg.erb but maybe other places)
  • nginx (modules/profile/manifests/nginx.pp, modules/profile/files/gitlab/gitlab.torproject.org.conf)
  • postfix (currently the default on eugeni, watch out for the results of #33413 here before making any changes)

filtered output of puppet grep:

modules/profile/files/gitlab/gitlab.torproject.org.conf:  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
modules/profile/manifests/nginx.pp:    ssl_ciphers           => 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', # lint:ignore:140chars
modules/roles/templates/onionoo/haproxy.cfg.erb:        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

postfix does not have an explicitely configured cipherlist, so it uses:

smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH

which means, on Debian stretch:

ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM8:PSK-AES256-CCM:AES256-SHA256:CAMELLIA256-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:ECDHE-PSK-CAMELLIA256-SHA384:RSA-PSK-CAMELLIA256-SHA384:DHE-PSK-CAMELLIA256-SHA384:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:PSK-CAMELLIA256-SHA384:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES128-CCM:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:PSK-AES128-GCM-SHA256:PSK-AES128-CCM8:PSK-AES128-CCM:AES128-SHA256:CAMELLIA128-SHA256:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CAMELLIA128-SHA256:RSA-PSK-CAMELLIA128-SHA256:DHE-PSK-CAMELLIA128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:PSK-CAMELLIA128-SHA256:ADH-SEED-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:SEED-SHA

wheee...

comment:4 Changed 7 months ago by anarcat

Status: newneeds_revision

this needs more work. i reverted the commit (with 6cc23ac7ee461cd14cad96da2344f3c797fa9df5) because it was causing problems with GnuPG in WKD mode on windows 10, in #33751. that seems to be something we need to test now, and definitely shows the spec has some trouble with some platforms.

comment:5 Changed 7 months ago by anarcat

this should be documented in https://help.torproject.org/tsa/howto/tls/ when done. a link to this ticket was added there, at least.

Note: See TracTickets for help on using tickets.