ioerror/duraconf ioerror/duraconf

  • Stars
    star
    979
  • Rank 46,781 (Top 1.0 %)
  • Language Batchfile
  • Created almost 14 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ioerror/duraconf
github

ioerror

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

duraconf - A collection of hardened configuration files for SSL/TLS services 
duraconf - A collection of hardened configuration files for SSL/TLS services

Hopefully this will help you make a more informed choice about what cipher list
should be used for different applications. What you find here are recommended
configurations, you should seriously consider using these, but you have to make
some choices. When you pick a cipher list, you have a couple different options
of how you go about it:

1. make a very specific declaration of what is acceptable. This has the
   advantage of being able to define very closely of what you want, but the
   disadvantage of having to stay on top of the latest crypto advancements, with
   every crypto library upgrade.

2. make a general declaration of which cipher list to use. this has the
   advantage of allowing you to rely on your crypto libraries to make
   (hopefully) informed choices for you (and to deactivate known
   bad/weak/recently broken) ciphers while you don't have the burden of ensuring
   that they are always resulting in a good cipher suite. The disadvantage is
   that you cannot fine tune what exactly you get in return.

3. A mixture of being specific and letting your crypto library decide from
   general statements. This can be useful if, for example, you find out that
   some particular crypto has become too weak, for example you might use a
   generic list but then exclude MD5, because your crypto libraries haven't
   removed that yet.

4. Decide on a threat model for possible attacks that may expose an important
   private key. Ciphers are often offered in a mode that provides Perfect
   Forward Secrecy. While there are performance considerations, if you run a
   high security operation where traffic disclosure would be a serious problem,
   it is an important property to consider.

Generally it seems safer to have the crypto library take the bulk of the
decision since it should be for the most part fire-and-forget, while the other
options require that you always stay up to date on things and tweak as needed.

For practical use, and for people who can afford to follow crypto news, a
mixture of both is surely a good idea. So start with the general cipher list and
when you become aware that something is bad then just add this specific part to
your otherwise general cipher list until the crypto library defaults get updated
to fix that.

Unfortunately, its not possible to come up with one cipher configuration that is
going to work for all configurations. There are many different programs that
implement different versions of libraries that have different ciphers
available. In fact, a different versions of the same program may be linked
against different libraries which have different ciphers available.

An important configuration issue for service operators and users is
understanding Perfect Forward Secrecy. Generally, PFS sessions are
computationally more expensive than connections without PFS properties.

It is extremely important to remember that using SSL and/or TLS does not ensure
that your traffic is encrypted for all time. Generally, SSL/TLS services offer
two general modes of operation - one mode is ephemerally keyed and the other is not.

A TLS server that only offers AES256-SHA is strong against an attacker who will
never recover the secret key used by the server and cannot break AES256.
However, if an attacker is able to recover the server's key, the attacker will be able
to retroactively decrypt all traffic that has been recorded where the AES256-SHA
cipher was used. If that same server uses an ephemeral cipher such as
DHE-RSA-AES256-SHA, the attacker cannot recover previous encrypted sesssions
without breaking RSA and/or AES256 for *each* session.

In both cases, when the attacker has the private key, all future communications
with the server are unsafe. Clients generally deal with this by looking up a
revokation list or by using something like the OCSP. Realistically, they're in
a lot of trouble and that kind of trouble is out of scope. If you're in doubt
it's probably a reasonable thing to use DHE or EDH modes unless you have load
issues.

The cipher lists you will find here actually vary depending on which version of
the crypto library that you have. For example, if you were to find this list
recommended:

HIGH:MEDIUM:!aNULL:!SSLv3:!SSLv2:!MD5:@STRENGTH

In openssl version 1.0.1e this will mean the following list of ciphers:

$ openssl ciphers -v 'HIGH:MEDIUM:!aNULL:!SSLv3:!SSLv2:!MD5:@STRENGTH'

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256


It is also worth noting that this is setting a policy, and your site may have
different policies, depending on your intended audience. There are many
questions to consider in determining a policy. For example, in the worst case,
when a client doesn't support the higher strength ciphers my server supports, do
I want to keep up the image that medium strength ciphers are secure enough in my
specific use case, environment and opponents? Or should I not allow anything but
the highest strength ciphers, and those clients that do not support them are
just denied?  Its likely that in many cases there is no possibility of making it
clear to the user that their setup does not allow for secure use of your
services, and what their options are.  I _think_, at least with apache, it
should be possible to redirect users whose setup doesn't provide a compatible
cipher suite, to an informational web page which explains further steps they can
and should take (i have no idea how)..

Unfortunately, in most cases, users will not get any message at all and they
will have no clue why they are shut out. This could result in unhappy users with
no idea of where to turn, and potentially a higher support burden.

Notes on format of cipher designations
--------------------------------------

Format of cipher designations differ, but in general they follow the format
described in ciphers(5). A few notes:

The order specified is the preference order, and the list is separated by
colons. The list can be specific ciphers (eg. RC4-SHA), a list of suites
containing a certain algorith (SHA1), or a cipher suite of a certain type
(TLSv1). There are also cipher strings which are a grouping of different ciphers
into a specific category (eg. HIGH).

When removing ciphers that you do not want, you have a choice between indicating
! or -, the difference is subtle but important. It's good practice to use ! if
you really do not want this class to ever get used, and to use - when you want
to allow them to be still used if you later added something to your existing
cipher list.

Finally, there is also the @STRENGTH parameter, which sorts the cipher list in
order of encryption algorithm key length.

Suggested reading
-----------------

https://www.eff.org/pages/how-deploy-https-correctly

More Repositories

1

tlsdate

secure parasitic rdate replacement
C
361
star
2

blockfinder

Blockfinder enumerates network information for countries
Python
127
star
3

torbirdy

Torbutton for Thunderbird and related *bird forks
JavaScript
84
star
4

freenote

Helpful utilities and documentation for Free Software live audio/video streaming
Shell
76
star
5

sslscan

sslscan tests SSL/TLS enabled services to discover supported cipher suites
C
65
star
6

crlwatch

Collect, watch, and analyze SSL/TLS CRL data
Shell
56
star
7

mpOTR

mpOTR: Multi-party Off-the-Record Messaging
28
star
8

libmsr

Reading, writing and analysis of magnetic stripe information
C
23
star
9

udev_antiforensics

udev rules and helpful programs to defend your system
Perl
22
star
10

torsocks

Wrapper to safely torify applications
C
20
star
11

TeaTime

TeaTime: TLS Estimates Accurate Timing Information More Entropically
Python
15
star
12

smartmonster

S.M.A.R.T. Monster Only Notices Surreptitious Tampering Events Retroactively
11
star
13

tor-chroot

Scripts to assist in chrooting Tor on various platforms
Shell
10
star
14

pinecube

Useful ways to use the PineCube https://wiki.pine64.org/index.php?title=PineCube
Shell
10
star
15

openssh_toolkit

A small collection of patches and programs for interacting with OpenSSH
8
star
16

tails-verifier

A dataset and tools for verification of Tails
Standard ML
7
star
17

pam_power

pluggable authentication module powering off when effortlessly requested
7
star
18

AppArmorPolicies

Various AppArmor Policies
7
star
19

hs-wiki

Information on how to run a Kwiki wiki as a Tor Hidden Service
CSS
6
star
20

csidh-reference-implementation

C
5
star
21

martus-linux-setup

Run Martus on Gnu/Linux (Ubuntu and other Debian flavors)
Shell
4
star
22

autoconf-hacks

Various autoconf hacks
4
star
23

libanon

A library to anonymize network communications
4
star
24

tro

Temporary Restraining OrShim
Java
3
star
25

chameleon

chameleon helps ammend modify edit list enumerate ordered names
Python
3
star
26

libtorlaunch

A library to find or launch Tor
2
star
27

makedepend

makedepend
2
star
28

otr-website

An unofficial OTR website mirror
JavaScript
1
star
29

vula

automatic local network encryption
Python
1
star