Hello Peter, Am Mittwoch 31 März 2010 16:45:47 schrieb Peter Bowen:
On Wed, 2010-03-31 at 14:08 +0200, Thomas Biege wrote:
Am Mittwoch 31 März 2010 13:21:56 schrieb Peter Bowen:
On Wed, 2010-03-31 at 10:51 +0200, Thomas Biege wrote:
during the secure development workshop last week in Prague the question came up how to configure ephemeral keying using apache2/mod_ssl.
Thomas,
Unfortunately I was not in Prague, so I don't have the background on this. Can you please explain a little about what ephemeral keying is and why one wants it?
Thanks, Peter
It influences the ssl handshake and creates something that is called 'perfect forward secrecy' (PFS). The perfect forward secrecy means that an adversary can capture the encrypted traffic and when she gains access to your private key is not able do decrypt the already sent data as well as data from future transmissions. (But she can of course spoof the identity of the SSL- enabled server with the key.)
So we have the following right now for Studio:
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!MEDIUM:+HIGH:+SSLv2
After a little poking, it looks like:
SSLCipherSuite kEDH:@STRENGTH:ALL:!ADH:!EXP:!LOW:!MEDIUM:!MD5:!3DES: +SSLv2
is what we want. It will put the DH key exchange algorithms first (OpenSSL docs note "non-ephemeral DH modes are currently unimplemented", so this mean ephemeral keying), sorted by strength, then all the other ciphers. We exclude export-grade (40 bit), low, and medium ciphers as well as those using MD5 hashing and those using 3DES bulk cipher.
Admittedly this effectively disables SSLv2 (as most v2 implementations only offer MD5), but anything that only supports SSLv2 is likely full of security holes at this point.
From a security perspective this looks good!
What was the reason behind disabling 3DES?
BTW, you are right having SSLv2 in the CipherSuite doesn't make
sense if we disallow MD5, LOW, MEDIUM and 3DES.
Additionally SSLv2 is insecure and obsolete since more than 11 years
now.
Bye
Thomas
--
Thomas Biege